Vagrant Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is a plausible Vagrant sandbox, but it forwards your host SSH agent into the VM by default and under-discloses some host/project-side changes.
Use this only if you are comfortable with Vagrant creating local VM state and with project files being copied into the guest VM. Before running it, remove or disable `config.ssh.forward_agent = true` unless you explicitly need SSH credentials inside the VM, review any generated Vagrantfile, add secret-file exclusions, and destroy the VM when finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Untrusted or compromised code inside the VM may be able to authenticate as you to SSH-backed services while the agent is forwarded, even though the private key itself is not copied.
The skill is meant to run risky workloads in a disposable VM, but its required base Vagrantfile forwards the host SSH agent into that VM. That can let code running in the VM use the user's SSH identities for Git or other SSH services.
Use when ... "try something dangerous" ... config.ssh.forward_agent = true
Disable SSH agent forwarding by default. Only enable it after explicit user confirmation for a specific task, and document which SSH identities could be reachable from the VM.
A user may think the workflow cannot change host-side files, when it can add or overwrite project VM configuration and create local VM/provider artifacts.
The safety claim is broader than the actual behavior: the skill instructs the agent to write into the user's project and Vagrant will also create/manage local VM state.
the host is never modified ... If the user's project does not already have a `Vagrantfile`, you MUST create a real, working one in their project directory.
Clarify that privileged operations are intended to stay inside the VM, but host-side project files and Vagrant state may be created or changed. Ask before writing or replacing a Vagrantfile.
Project files, and possibly local secrets stored in the project directory, may become available to commands or code run inside the VM.
The workflow copies the project root into the VM. This is central to the dev-sandbox purpose, but the listed exclusions do not cover common secret files such as `.env` or local credentials.
config.vm.synced_folder ".", "/project", type: "rsync", rsync__exclude: [ ".git/", "node_modules/", "vendor/", ".vagrant/", ... ]
Review the project before syncing, add exclusions for secrets such as `.env`, credentials, or private config files, and destroy the VM when finished.
Future provisioning could install a different version of Mage than the one the skill author tested.
The VM provisioner installs a latest-version dependency from the network. This is purpose-aligned setup behavior, but it is not pinned for reproducible builds.
go install github.com/magefile/mage@latest
Pin tool versions where reproducibility matters, and prefer checksums or locked versions for security-sensitive environments.