Skillv1.0.0

ClawScan security

Sandbox Manager · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 30, 2026, 2:59 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and docs do implement a Baidu sandbox manager as described, but it writes credentials to ~/.env, references another sensitive token (COMATE_AUTH_TOKEN) that isn't declared, and instructs installing internal packages — these are legitimate for the feature but deserve caution before installing or granting secrets.
Guidance: This skill looks like a legitimate Baidu sandbox manager, but review and decide before installing: 1) It will write your API key into ~/.env (may overwrite existing entries) — prefer adding the key manually if unsure. 2) The docs mention COMATE_AUTH_TOKEN (sensitive) but the registry metadata doesn't declare it — do not supply unrelated secrets unless you trust the skill and the service. 3) The README/SKILL.md instruct pip installs from an internal index (pip.baidu-int.com); confirm you trust that package source and the e2b_code_interpreter package versions. 4) If you need to audit: run the scripts locally and inspect calls (they use e2b_code_interpreter.Sandbox), watch network endpoints, and consider sandboxing the skill itself. If you are in an enterprise environment, ask your security/ops team to verify the internal package index and token usage before providing credentials.

Review Dimensions

Purpose & Capability: noteThe name/description match the shipped code: scripts create, connect, manage, list files, run commands and destroy sandbox instances via the e2b_code_interpreter SDK. The required behaviors (reading/writing E2B_API_KEY, using Sandbox SDK) are coherent with the stated purpose.
Instruction Scope: concernSKILL.md and scripts instruct the agent/user to install SDK packages and to automatically write the API key into ~/.env. The skill will load ~/.env at runtime and may inject COMATE_AUTH_TOKEN into sandbox environments. Writing credentials to a user file and auto-installing packages expands scope and should be explicit and approved by the user.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), but the docs instruct pip installing packages from an internal index (https://pip.baidu-int.com). No arbitrary download URLs or archive extraction are used. Installing packages from a non-public index is a moderate risk and should be validated by the user/organization.
Credentials: concernThe package and scripts depend on E2B_API_KEY and E2B_DOMAIN (used and written to ~/.env) — but the skill metadata declares no required env vars. SKILL.md also notes COMATE_AUTH_TOKEN is needed for iCode access; that sensitive token is referenced but not declared in registry metadata. The skill will store credentials in ~/.env, which can expose/overwrite existing environment settings.
Persistence & Privilege: noteThe skill is not always:true and does not request system-wide privileges. However, it persists credentials by writing to ~/.env (user home), modifying local configuration — this is expected for the feature but is a persistent side-effect the user should accept explicitly.