Skillv1.0.0

ClawScan security

Docker Sandbox · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 8:02 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (providing Docker-based ephemeral sandboxes) and only requires the docker binary; the instructions mostly match the purpose but a few implementation omissions and operational cautions deserve attention.
Guidance: This skill is coherent for its stated purpose, but running containers via an agent is powerful and you should take operational precautions before enabling or trusting it. Consider: (1) only give agents access to Docker in tightly controlled environments — the Docker daemon is effectively root on the host; (2) ensure the agent never mounts sensitive host paths (including /, /etc, ~/.ssh) and ensure it cannot mount the Docker socket (/var/run/docker.sock) into containers; (3) prefer additional hardening flags (e.g., --user to avoid root inside container, --read-only, --tmpfs for writable dirs, --security-opt=no-new-privileges, --cap-drop ALL, custom seccomp or AppArmor profiles, and explicit resource limits); (4) ensure examples are consistent (add --network none and resource limits to the bash example) and adapt path syntax for Windows; (5) test the workflow in an isolated VM or disposable host first. If you cannot enforce these operational constraints, do not grant an agent unrestricted ability to run docker on important hosts.

Review Dimensions

Purpose & Capability: okName, description, and runtime instructions all center on running code inside Docker containers. The only required binary is `docker`, which is exactly what this skill needs.
Instruction Scope: noteInstructions demonstrate creating a local `.sandbox` directory and running containers with --rm, resource limits, and --network none in some examples. However: (1) the Bash example omits resource and network flags that the doc claims are default; (2) the doc relies on the agent/operator to avoid mounting sensitive host paths but does not explicitly warn about the danger of mounting the Docker socket (/var/run/docker.sock); (3) it does not show using non-root users, read-only mounts, no-new-privs, capability drops, or other container-hardening features that are commonly recommended. The mount command uses POSIX shell syntax ($(pwd)) but the metadata lists Windows support; Windows-specific path guidance is missing.
Install Mechanism: okInstruction-only skill with no install spec and no code files — lowest-risk delivery mechanism. Nothing is written to disk by the skill itself.
Credentials: okThe skill requests no environment variables or credentials. Requiring only the `docker` binary is proportionate to the claimed capability.
Persistence & Privilege: okSkill is user-invocable and not set always:true. It does not request system-wide changes or persistent presence beyond runtime instructions. Autonomous invocation is allowed (platform default) but not elevated by the skill.