Sandwrap
WarnAudited by ClawScan on May 10, 2026.
Overview
Sandwrap is an instruction-only safety wrapper with no runnable sandbox enforcement shown, yet it encourages running untrusted skills under strong safety claims.
Treat Sandwrap as guidance, not a sandbox. It may help remind an agent to be cautious, but it should not be used as the only protection for untrusted skills, suspicious files, private data, or anything that could execute commands or modify files.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may trust Sandwrap as a safety boundary and run a dangerous third-party skill that can still misuse tools or access data.
This strongly reassures users that untrusted, exec-capable skills can be run safely, even though the package is instruction-only and cannot itself prove real sandbox enforcement.
You find a cool skill on ClawHub... it wants exec access... Wrap any skill in protection... That's it. The skill runs, you get the results, nothing bad happens.
Do not rely on this as a real sandbox. Use a VM/container or platform-enforced tool permissions for untrusted skills, and avoid absolute safety claims in the documentation.
If a wrapped skill is actually malicious, prompt-only rules may not stop file writes, command execution, messaging, or other unsafe tool use.
The architecture claims code-level tool interception, but the supplied package has no code files or install mechanism, so this critical control is not evidenced by the artifacts.
Tool restrictions are enforced at code level, not by this prompt... Tool calls are intercepted BEFORE execution.
Require real platform-level allowlists, deny-by-default tool permissions, and explicit human approval before using this with untrusted or high-privilege skills.
Users have limited evidence for the claimed protection rate and vetted status.
The security rationale points to a referenced research file that is not present in the manifest, making the claimed vetting and effectiveness harder to verify.
Based on academic research (see `research/prompt-injection-academic-research.md`)
Provide the referenced research, test results, and implementation details, or clearly mark the skill as an advisory prompt wrapper rather than a verified sandbox.