ClawHub

Docker Sandbox

Create and manage Docker sandboxed VM environments for safe agent execution. Use when running untrusted code, exploring packages, or isolating agent workloads. Supports Claude, Codex, Copilot, Gemini, and Kiro agents with network proxy controls.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
5 · 3.9k · 24 current installs · 24 all-time installs
by@gitgoodordietrying
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md exclusively documents using a 'docker sandbox' workflow and requires the docker binary. However the suggested defaults (mounting the host workspace into the sandbox via virtiofs and providing the Docker socket inside the sandbox) are stronger privileges than you'd expect for a 'safe' sandbox and can defeat isolation.
!
Instruction Scope
The runtime instructions tell the agent to create sandboxes that mount host paths and include the host Docker socket (/run/docker.sock). Those actions permit sandboxed processes to access host files and control the Docker daemon (a well-known host escape/privilege escalation vector). The doc also instructs running arbitrary agent code inside those sandboxes and suggests setting env vars and proxy hooks—all of which could expose host data or network access if misconfigured.
Install Mechanism
This is instruction-only (no install spec, no downloaded artifacts). That minimizes installer risk because nothing new is written by the skill itself; it merely instructs use of an existing docker binary.
Credentials
The skill requests no external credentials or env vars. It does, however, describe auto-set proxy environment variables inside sandboxes and recommends workarounds for Node fetch behavior. While not demanding secrets, the described environment (workspace mounts, proxy certs, Docker socket) grants broad access to host resources that is disproportionate to a claim of 'safe' execution of untrusted code.
Persistence & Privilege
always is false and there is no installation, so the skill itself doesn't insist on persistent privileged presence. Still, using Docker commands from the agent lets the agent create long-lived sandboxes, snapshots, and templates; combined with mounted host paths and the docker socket, that grants the agent substantial indirect persistence/privilege on the host if the operator allows those operations.
What to consider before installing
This skill documents how to run code in Docker-based sandboxes, but take the following precautions before using it: 1) Understand that mounting your project into a container and exposing /run/docker.sock defeats many isolation guarantees—avoid mounting sensitive host paths and do not expose the Docker socket unless you explicitly need it. 2) Prefer deny-by-default network policies and explicit allowlists (the SKILL.md supports this); test rules before running unknown code. 3) Verify the origin and behavior of the 'docker sandbox' plugin on your system (the skill has no homepage/source other than a Docker docs link). 4) Run a small, non-sensitive experiment first to confirm what the sandbox actually exposes (file mounts, socket, network). 5) If you need stronger isolation, use a separate VM or a sandboxing solution that does not expose the host Docker daemon or host files. 6) If you lack confidence in the plugin or your Docker configuration, do not run untrusted code on a machine with sensitive data or credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97ab2w69p3kgcsrrjb63e3ejd80fr4p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐳 Clawdis
OSLinux · macOS · Windows
Binsdocker

SKILL.md

Docker Sandbox

Run agents and commands in isolated VM environments using Docker Desktop's sandbox feature. Each sandbox gets its own lightweight VM with filesystem isolation, network proxy controls, and workspace mounting via virtiofs.

When to Use

  • Exploring untrusted packages or skills before installing them system-wide
  • Running arbitrary code from external sources safely
  • Testing destructive operations without risking the host
  • Isolating agent workloads that need network access controls
  • Setting up reproducible environments for experiments

Requirements

  • Docker Desktop 4.49+ with the docker sandbox plugin
  • Verify: docker sandbox version

Quick Start

Create a sandbox for the current project

docker sandbox create --name my-sandbox claude .

This creates a VM-isolated sandbox with:

  • The current directory mounted via virtiofs
  • Node.js, git, and standard dev tools pre-installed
  • Network proxy with allowlist controls

Run commands inside

docker sandbox exec my-sandbox node --version
docker sandbox exec my-sandbox npm install -g some-package
docker sandbox exec -w /path/to/workspace my-sandbox bash -c "ls -la"

Run an agent directly

# Create and run in one step
docker sandbox run claude . -- -p "What files are in this project?"

# Run with agent arguments after --
docker sandbox run my-sandbox -- -p "Analyze this codebase"

Commands Reference

Lifecycle

# Create a sandbox (agents: claude, codex, copilot, gemini, kiro, cagent)
docker sandbox create --name <name> <agent> <workspace-path>

# Run an agent in sandbox (creates if needed)
docker sandbox run <agent> <workspace> [-- <agent-args>...]
docker sandbox run <existing-sandbox> [-- <agent-args>...]

# Execute a command
docker sandbox exec [options] <sandbox> <command> [args...]
  -e KEY=VAL          # Set environment variable
  -w /path            # Set working directory
  -d                  # Detach (background)
  -i                  # Interactive (keep stdin open)
  -t                  # Allocate pseudo-TTY

# Stop without removing
docker sandbox stop <sandbox>

# Remove (destroys VM)
docker sandbox rm <sandbox>

# List all sandboxes
docker sandbox ls

# Reset all sandboxes
docker sandbox reset

# Save snapshot as reusable template
docker sandbox save <sandbox>

Network Controls

The sandbox includes a network proxy for controlling outbound access.

# Allow specific domains
docker sandbox network proxy <sandbox> --allow-host example.com
docker sandbox network proxy <sandbox> --allow-host api.github.com

# Block specific domains
docker sandbox network proxy <sandbox> --block-host malicious.com

# Block IP ranges
docker sandbox network proxy <sandbox> --block-cidr 10.0.0.0/8

# Bypass proxy for specific hosts (direct connection)
docker sandbox network proxy <sandbox> --bypass-host localhost

# Set default policy (allow or deny all by default)
docker sandbox network proxy <sandbox> --policy deny  # Block everything, then allowlist
docker sandbox network proxy <sandbox> --policy allow  # Allow everything, then blocklist

# View network activity
docker sandbox network log <sandbox>

Custom Templates

# Use a custom container image as base
docker sandbox create --template my-custom-image:latest claude .

# Save current sandbox state as template for reuse
docker sandbox save my-sandbox

Workspace Mounting

The workspace path on the host is mounted into the sandbox via virtiofs. The mount path inside the sandbox preserves the host path structure:

Host OSHost PathSandbox Path
WindowsH:\Projects\my-app/h/Projects/my-app
macOS/Users/me/projects/my-app/Users/me/projects/my-app
Linux/home/me/projects/my-app/home/me/projects/my-app

The agent's home directory is /home/agent/ with a symlinked workspace/ directory.

Environment Inside the Sandbox

Each sandbox VM includes:

  • Node.js (v20.x LTS)
  • Git (latest)
  • Python (system)
  • curl, wget, standard Linux utilities
  • npm (global install directory at /usr/local/share/npm-global/)
  • Docker socket (at /run/docker.sock - Docker-in-Docker capable)

Proxy Configuration (auto-set)

HTTP_PROXY=http://host.docker.internal:3128
HTTPS_PROXY=http://host.docker.internal:3128
NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/proxy-ca.crt
SSL_CERT_FILE=/usr/local/share/ca-certificates/proxy-ca.crt

Important: Node.js fetch (undici) does NOT respect HTTP_PROXY env vars by default. For npm packages that use fetch, create a require hook:

// /tmp/proxy-fix.js
const proxy = process.env.HTTPS_PROXY || process.env.HTTP_PROXY;
if (proxy) {
  const { ProxyAgent } = require('undici');
  const agent = new ProxyAgent(proxy);
  const origFetch = globalThis.fetch;
  globalThis.fetch = function(url, opts = {}) {
    return origFetch(url, { ...opts, dispatcher: agent });
  };
}

Run with: node -r /tmp/proxy-fix.js your-script.js

Patterns

Safe Package Exploration

# Create isolated sandbox
docker sandbox create --name pkg-test claude .

# Restrict network to only npm registry
docker sandbox network proxy pkg-test --policy deny
docker sandbox network proxy pkg-test --allow-host registry.npmjs.org
docker sandbox network proxy pkg-test --allow-host api.npmjs.org

# Install and inspect the package
docker sandbox exec pkg-test npm install -g suspicious-package
docker sandbox exec pkg-test bash -c "find /usr/local/share/npm-global/lib/node_modules/suspicious-package -name '*.js' | head -20"

# Check for post-install scripts, network calls, file access
docker sandbox network log pkg-test

# Clean up
docker sandbox rm pkg-test

Persistent Dev Environment

# Create once
docker sandbox create --name dev claude ~/projects/my-app

# Use across sessions
docker sandbox exec dev npm test
docker sandbox exec dev npm run build

# Save as template for team sharing
docker sandbox save dev

Locked-Down Agent Execution

# Deny-all network, allow only what's needed
docker sandbox create --name secure claude .
docker sandbox network proxy secure --policy deny
docker sandbox network proxy secure --allow-host api.openai.com
docker sandbox network proxy secure --allow-host github.com

# Run agent with restrictions
docker sandbox run secure -- -p "Review this code for security issues"

Troubleshooting

"client version X is too old"

Update Docker Desktop to 4.49+. The sandbox plugin requires engine API v1.44+.

"fetch failed" inside sandbox

Node.js fetch doesn't use the proxy. Use the proxy-fix.js require hook above, or use curl instead:

docker sandbox exec my-sandbox curl -sL https://api.example.com/data

Path conversion on Windows (Git Bash / MSYS2)

Git Bash converts /path to C:/Program Files/Git/path. Prefix commands with:

MSYS_NO_PATHCONV=1 docker sandbox exec my-sandbox ls /home/agent

Sandbox won't start after Docker update

docker sandbox reset  # Clears all sandbox state

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…