XPR Code Sandbox
Execute JavaScript code in a secure sandbox for data processing, computation, and quick expression evaluation without network or filesystem access.
MIT-0 · Free to use, modify, and redistribute. No attribution required.
⭐ 0 · 624 · 0 current installs · 0 all-time installs
by@paulgnz
MIT-0
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name, description, declared tools (execute_js, eval_expression) and the included src/index.ts align: the implementation uses Node's vm to run JS with explicit globals and blocked require/process/global access. No unrelated env vars, binaries, or installs are requested.
Instruction Scope
SKILL.md limits scope to isolated JS execution and explicitly forbids network/filesystem/imports; the code enforces these restrictions by creating a limited context and undefining require/process/global. However, vm-based sandboxes can be subtle to get correct — the instructions do not permit reading system state or secrets, and the code does not appear to do so, but there remains a non-zero risk of sandbox escape vectors in complex JS environments.
Install Mechanism
No install spec; skill is instruction/code-only and uses Node built-ins. Nothing in the manifest pulls external code or runs remote installers.
Credentials
The skill requires no environment variables, no credentials, and no config paths. The code does not access process.env or other outside credentials. Requested privileges are proportional to the stated purpose.
Persistence & Privilege
always is false; the skill is user-invocable and allows autonomous invocation (platform default). It does not modify other skills or request permanent elevated presence.
Assessment
This skill appears internally consistent for running JavaScript computations in a sandbox and does not ask for credentials or installs. Before installing, consider: (1) provenance — the source/homepage is unknown; prefer skills from known authors. (2) Treat it as untrusted when executing third-party code: test with non-sensitive inputs and small timeouts. (3) Although the code explicitly blocks require/process/global and disables code-generation-from-strings, vm-based sandboxes have historically had escape techniques — avoid sending secrets or sensitive data into the sandbox. (4) If you need stronger guarantees, run similar workloads in a dedicated, isolated execution environment (separate process/container) or seek a sandbox with formal audits.Like a lobster shell, security has layers — review code before you run it.
Current versionv0.2.11
Download zipcodejavascriptlatestsandboxxpr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
Code Sandbox
You have sandboxed JavaScript execution tools for computation and data processing:
Full scripts:
execute_js— run JavaScript code in an isolated V8 sandbox- Pass data via the
inputparameter (JSON) — access it asINPUTin your code - Use
console.log()to capture intermediate values (returned inlogsarray) - Available globals:
JSON,Math,Date,Array,Object,String,Number,RegExp,Map,Set,parseInt,parseFloat,isNaN,isFinite,encodeURIComponent,decodeURIComponent,atob,btoa - No network access, no filesystem, no imports — pure computation only
- Default timeout 5 seconds, max 30 seconds
- 10MB output limit
- Pass data via the
Quick expressions:
eval_expression— evaluate a single JavaScript expression and return the result- Use for quick math:
"15 * 4500 * 0.01"→675 - Date calculations:
"new Date().toISOString()" - Array operations:
"[1,2,3].map(x => x*x)"→[1, 4, 9]
- Use for quick math:
Best practices:
- Use
execute_jsfor multi-step data processing, algorithm testing, code validation - Use
eval_expressionfor quick math, string ops, date calculations - Pass large datasets via
inputparameter rather than embedding in code - Combine with
parse_csv(structured-data skill) for CSV → transform → output workflows - Combine with
store_deliverableto save computed results as job evidence
Files
3 totalSelect a file
Select a file to preview.
Comments
Loading comments…