ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cloudsway ScaleBox Sandbox

v1.0.5

Create and manage isolated cloud sandboxes for secure, remote code execution, browser automation, and temporary development environments via CLI, API, or Pyt...

0· 75·0 current·0 all-time
by@gloriathepenguin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md describes creating/managing cloud sandboxes and shows API/CLI/SDK usage. The operations it instructs (create sandboxes, open ports, upload/download files, exec commands) align with that purpose.
Instruction Scope
Runtime instructions are scoped to ScaleBox operations (curl to api.scalebox.dev, scalebox-cli commands, file uploads, command exec inside sandboxes). They do not instruct reading arbitrary local files or unrelated credentials. The README explicitly tells the user to obtain and set SCALEBOX_API_KEY and to install the official CLI.
Install Mechanism
This is an instruction-only skill (no install spec, no code files) which lowers risk of hidden code. The SKILL.md directs users to download/verify an official CLI; that is reasonable. Note: skill.json lists runtime commands including 'scalebox-cli' and 'curl' which implies those binaries must exist — but the registry metadata above reported 'Required binaries: none' creating an inconsistency to resolve.
Credentials
The skill requires a single ScaleBox API key (SCALEBOX_API_KEY) which is appropriate for the described tasks. However, the top-level registry metadata you were shown lists no required env vars while skill.json marks SCALEBOX_API_KEY as required—this mismatch should be clarified. Ensure any provided API key has minimal scope and short TTL if possible.
Persistence & Privilege
The skill does not request 'always: true' or any system config paths, and is instruction-only so it does not install persistent binaries. It does require network access (calls to api.scalebox.dev) which is expected for a cloud sandbox controller.
What to consider before installing
Before installing or enabling this skill: - Confirm the skill's provenance: there is no homepage/source repo listed. Prefer skills with a known vendor or repository. - Verify the declared requirements: skill.json and SKILL.md expect SCALEBOX_API_KEY and availability of 'scalebox-cli' and 'curl', but the registry summary above showed none — clarify which is authoritative. - Limit risk of credential misuse: only provide a scoped ScaleBox API key (least privilege) and consider using a short-lived key that can be rotated. - Verify CLI download integrity: follow the SKILL.md advice to fetch the official CLI from https://www.scalebox.dev and verify checksums if available. - Understand the capabilities: this skill can upload files and execute commands in remote sandboxes — a compromised or misconfigured ScaleBox API key could let an attacker run code on your cloud account or exfiltrate data to sandbox endpoints. Monitor sandbox creation/activity and revoke keys if suspicious. - If you need higher assurance, ask the publisher for a source repo, release signatures, and a privacy/security statement. If you cannot validate the source, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

cloudvk97dn2p7tg2vcb8ps4qxwa49rd83bd63cloudswayvk97dn2p7tg2vcb8ps4qxwa49rd83bd63code-executionvk97dn2p7tg2vcb8ps4qxwa49rd83bd63latestvk97dn2p7tg2vcb8ps4qxwa49rd83bd63sandboxvk97dn2p7tg2vcb8ps4qxwa49rd83bd63

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments