Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about being a power tool, but it gives agents a no-auth localhost path to control root-level tmux, LLM, and bash sessions and change workspace files.
Only install this on a dedicated, isolated machine where you are comfortable letting agents control terminals and workspace files. Verify the Sandboxer service source, add authentication or local socket protections, avoid root where possible, require confirmation for destructive or committing actions, and review workspace instruction files before dispatching sessions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or local caller could start terminals, type commands, interrupt sessions, alter workspace files, and commit changes; mistakes could damage repositories or running work.
The skill exposes broad terminal-control and file-mutation operations through simple API calls, with no documented approval gates, path allowlists, rollback, or limits on high-impact operations.
`GET /api/create?type=T&dir=D` | Spawn session ... `GET /api/send?session=S&text=T` | Send keystrokes ... `GET/POST /api/workspace/W/file/PATH` | Read/write workspace files ... `POST /api/auto-commit?workspace=W` | Commit workspace changes
Require explicit user approval for create/send/forward/file-write/auto-commit/kill actions, restrict allowed directories and session types, log all operations, and run in an isolated non-root environment.
On a shared or compromised machine, any local process able to reach the service could control sessions and inspect terminal output or workspace content.
The documented privilege boundary is extremely broad: root-level agent operation, full workspace and terminal access, and no authentication for local requests.
Sandboxer gives agents full access to tmux sessions, workspace files, and terminal output on your server. Intended for dedicated AI machines where agents run with root access. ... Sandboxer runs on `localhost:8081`. No auth needed from localhost.
Use only on a dedicated isolated host, add authentication or protected Unix-socket permissions, avoid running as root where possible, and do not expose the service to shared users or untrusted local processes.
The safety of the skill depends on an external local service that cannot be assessed from these artifacts.
The high-impact Sandboxer service is central to the skill, but its implementation, installation source, and version provenance are not included in the provided artifacts.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill; No code files present
Install Sandboxer only from a trusted and audited source, pin its version, document it as a required dependency, and verify its access controls before enabling this skill.
Malicious or stale project instructions could steer spawned agents toward unsafe commands or behavior that conflicts with the user’s current intent.
The skill expects persistent workspace and repo instruction files to influence dispatched coding sessions, which is normal for coding workflows but can be poisoned if those files are untrusted.
**Always read CLAUDE.md / AGENTS.md** in both workspace AND repo before dispatching work to a session
Review AGENTS.md and CLAUDE.md in each workspace/repo, treat them as lower priority than user and system instructions, and be cautious with untrusted repositories.
If used carelessly, completion callbacks could notify an unintended URL or disclose session metadata depending on the service implementation.
The skill supports an outbound callback flow, but the artifact does not specify callback authentication, allowed destinations, or exactly what data is sent.
`POST /api/create` accepts JSON body with `notify_url` — gets called when session finishes.
Use only trusted notify_url destinations, document the callback payload, authenticate callbacks where possible, and block external callback URLs unless needed.