v1.0.1

Skill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:38 AM.

Analysis

Sandboxer is upfront about being a power-user tmux dispatcher, but it gives an agent broad unauthenticated server, terminal, workspace, and persistent-session control that merits careful review.

GuidanceInstall or use this only on an isolated, single-user AI machine with a trusted Sandboxer service. Avoid root where possible, add authentication or access controls, require confirmation for shell/session/file/commit operations, review workspace instruction and memory files, and regularly monitor and kill spawned sessions.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

`GET /api/create?type=T&dir=D` | Spawn session ... `GET /api/send?session=S&text=T` | Send keystrokes ... `GET/POST /api/workspace/W/file/PATH` | Read/write workspace files ... `POST /api/auto-commit?workspace=W` | Commit workspace changes

The documented API lets the agent create interactive sessions, send arbitrary input, mutate workspace files, and commit changes; these are broad high-impact operations without documented approval or scoping controls.

User impactA mistaken or hijacked agent action could run commands, alter files, kill sessions, or commit persistent changes in the workspace.

RecommendationUse explicit user confirmation for session creation, shell/lazygit access, file writes, kills, and commits; restrict allowed directories, session types, and file paths.

Rogue Agents

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Session types: `claude`, `bash`, `lazygit`, `gemini`, `opencode` ... `GET /api/create?type=T&dir=D` | Spawn session ... `GET /api/kill?session=S` | Kill session

The skill enables spawning multiple autonomous or interactive tmux sessions, including other coding agents and shells, but does not document time limits, quotas, or default cleanup behavior.

User impactSpawned sessions could continue working after the original request, consume resources, or keep modifying the workspace until explicitly killed.

RecommendationSet session timeouts, require a user-approved task and directory for each spawned session, monitor active sessions, and kill or archive them after completion.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

install spec

No install spec — this is an instruction-only skill.

The package contains only instructions for using a powerful localhost service; the artifacts do not provide the Sandboxer service code or installation provenance to review.

User impactUsers must separately trust and verify the local Sandboxer service because this skill does not show how that service is installed or secured.

RecommendationVerify the Sandboxer service source, configuration, bind address, authentication, and runtime user before installing or invoking this skill.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

SKILL.md

Sandboxer gives agents full access to tmux sessions, workspace files, and terminal output on your server. Intended for dedicated AI machines where agents run with root access. ... No auth needed from localhost.

The skill explicitly relies on unauthenticated localhost access to a service that can operate with root-level authority over server terminals and workspace files.

User impactAny agent or local process able to call the localhost API may be able to act with broad server/workspace privileges.

RecommendationRun the service as a low-privilege user in an isolated environment, add authentication or socket-level access control, and avoid exposing it on shared machines.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

`AGENTS.md` ... `SOUL.md, USER.md, TOOLS.md` ... `MEMORY.md` ... `memory/YYYY-MM-DD.md` ... `Always read CLAUDE.md / AGENTS.md in both workspace AND repo before dispatching work to a session`

The workflow intentionally reads persistent agent rules and memory-like workspace files before dispatching work, which is purpose-aligned but means those files can strongly influence future spawned sessions.

User impactIncorrect or malicious instructions in workspace or repo guidance files could steer future coding sessions or leak sensitive project context into spawned agents.

RecommendationReview AGENTS.md, CLAUDE.md, MEMORY.md, and similar files before use; treat repo-provided instructions as untrusted unless they come from a trusted project.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

SKILL.md

`POST /api/create` accepts JSON body with `notify_url` — gets called when session finishes.

The API can call a supplied notification URL when a spawned session completes, creating an external callback path whose payload and destination constraints are not described.

User impactIf an untrusted or external notify URL is used, task/session metadata could be sent outside the local machine.

RecommendationUse only trusted notification URLs, prefer local/internal callbacks, and document what data is sent in completion notifications.