ClawHub

Docker Sandbox

v1.0.0

Create and manage Docker sandboxed VM environments for safe agent execution. Use when running untrusted code, exploring packages, or isolating agent workloads. Supports Claude, Codex, Copilot, Gemini, and Kiro agents with network proxy controls.

5· 4.5k·26 current·28 all-time
by@gitgoodordietrying
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md exclusively documents using a 'docker sandbox' workflow and requires the docker binary. However the suggested defaults (mounting the host workspace into the sandbox via virtiofs and providing the Docker socket inside the sandbox) are stronger privileges than you'd expect for a 'safe' sandbox and can defeat isolation.
!
Instruction Scope
The runtime instructions tell the agent to create sandboxes that mount host paths and include the host Docker socket (/run/docker.sock). Those actions permit sandboxed processes to access host files and control the Docker daemon (a well-known host escape/privilege escalation vector). The doc also instructs running arbitrary agent code inside those sandboxes and suggests setting env vars and proxy hooks—all of which could expose host data or network access if misconfigured.
Install Mechanism
This is instruction-only (no install spec, no downloaded artifacts). That minimizes installer risk because nothing new is written by the skill itself; it merely instructs use of an existing docker binary.
Credentials
The skill requests no external credentials or env vars. It does, however, describe auto-set proxy environment variables inside sandboxes and recommends workarounds for Node fetch behavior. While not demanding secrets, the described environment (workspace mounts, proxy certs, Docker socket) grants broad access to host resources that is disproportionate to a claim of 'safe' execution of untrusted code.
Persistence & Privilege
always is false and there is no installation, so the skill itself doesn't insist on persistent privileged presence. Still, using Docker commands from the agent lets the agent create long-lived sandboxes, snapshots, and templates; combined with mounted host paths and the docker socket, that grants the agent substantial indirect persistence/privilege on the host if the operator allows those operations.
What to consider before installing
This skill documents how to run code in Docker-based sandboxes, but take the following precautions before using it: 1) Understand that mounting your project into a container and exposing /run/docker.sock defeats many isolation guarantees—avoid mounting sensitive host paths and do not expose the Docker socket unless you explicitly need it. 2) Prefer deny-by-default network policies and explicit allowlists (the SKILL.md supports this); test rules before running unknown code. 3) Verify the origin and behavior of the 'docker sandbox' plugin on your system (the skill has no homepage/source other than a Docker docs link). 4) Run a small, non-sensitive experiment first to confirm what the sandbox actually exposes (file mounts, socket, network). 5) If you need stronger isolation, use a separate VM or a sandboxing solution that does not expose the host Docker daemon or host files. 6) If you lack confidence in the plugin or your Docker configuration, do not run untrusted code on a machine with sensitive data or credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ab2w69p3kgcsrrjb63e3ejd80fr4p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐳 Clawdis
OSLinux · macOS · Windows
Binsdocker

Comments