Novita Sandbox
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: novita-sandbox Version: 0.1.8 The novita-sandbox skill is a legitimate tool designed to provide a secure execution environment for untrusted code and web browsing using Novita AI's Firecracker-based cloud sandboxes. The implementation in `scripts/sandbox.py` is a standard CLI wrapper for the `novita-sandbox` SDK, facilitating sandbox lifecycle management, command execution, and file transfers. The `SKILL.md` documentation includes proactive security instructions, such as warning the agent against uploading sensitive local credentials and advising against using specific platform functions (`config.patch`) that might cause instability, demonstrating a focus on safety and isolation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may assume stronger sandbox security or network isolation than the code actually requests from the provider.
The skill is presented as a secure sandbox, but the implementation creates sandboxes with a flag named secure set to false; the artifact does not explain what protections remain enabled.
secure=False,
allow_internet_access=True,
auto_pause=True,Clarify what the secure flag controls, enable the provider's secure mode if it is required for the advertised protections, and document the exact isolation guarantees.
Logins, cookies, page state, or artifacts from one task could affect or be exposed during a later task.
The skill tells the agent to preserve and reuse sandbox state, including browser cookies, without a clear per-task or per-user boundary.
all process state (including Chromium browser sessions, tabs, cookies) is preserved ... If a matching sandbox exists ... reuse it. Only create new if none match.
Use fresh sandboxes for sensitive browsing or untrusted code, require user approval before reusing a sandbox, and kill sandboxes after tasks that involve logins or private data.
The installed SDK may behave differently from the reviewed version, including in code paths that handle the API key and remote command execution.
A lower-bound dependency is not an exact pin, so installation can pull a later unreviewed SDK version despite the documentation saying it is pinned.
pip3 install "novita-sandbox>=1.0.5" ... the SDK version is tested and pinned
Pin the exact SDK version, provide a lockfile or checksum, and update the documentation so it matches the actual dependency policy.
The skill can use your Novita account to create, list, connect to, and kill paid sandboxes.
The Novita API key is expected for this integration and costs are disclosed, but the registry metadata says there are no required environment variables or primary credential.
export NOVITA_API_KEY="sk_your_key" # Required (Note: Sandbox usage incurs API costs billed per second)
Set the key only in the intended environment, monitor Novita usage, and have the skill metadata declare NOVITA_API_KEY explicitly.
If invoked with the wrong paths or commands, the agent could send local files to Novita or write sandbox output over local files.
The helper exposes broad remote command execution plus local upload/download paths. This is central to the sandbox purpose, but it is powerful and should remain user-directed.
sbx.commands.run(args.command, timeout=args.timeout) ... with open(args.local_path, "rb") as f: ... with open(args.local_path, "w") as f:
Review commands and file paths before use, avoid uploading private files unless necessary, and download results only to safe, explicit locations.