Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Boxed fs
v1.0.0WebAssembly sandboxed file system operations for secure file read/write within explicitly declared directories. Use when needing to read, write, append, copy...
⭐ 0· 12·0 current·0 all-time
by@guyoung
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the instructions: the skill provides WASM-based sandboxed file operations and documents read/write/list/copy/remove operations. It requires an external openclaw-wasm-sandbox plugin (documented in USAGE.md) which is consistent with its purpose. No unrelated env vars, binaries, or paths are requested.
Instruction Scope
SKILL.md and USAGE.md keep operations scoped to a specified workDir and optional explicit mapDirs, which is correct for a sandboxed FS helper. However, the runtime instructions direct the agent to download a WASM binary from a third-party raw GitHub URL and then execute it via wasm-sandbox-run. There are no integrity checks (no checksum/signature) and no packaged source for the WASM, so the agent will fetch and run external code at runtime — this expands the risk surface.
Install Mechanism
There is no formal install spec; instead the skill relies on runtime download (wasm-sandbox-download) of a single WASM file hosted at a raw.githubusercontent.com URL. While GitHub raw URLs are common, downloading an executable blob at runtime without a checksum or embedded source is a moderate risk (the downloaded binary will be written to ~/.openclaw/skills/...).
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, the documented use of mapDirs means users or agents could grant the sandbox access to arbitrary host directories; if sensitive directories are mapped (intentionally or accidentally) the WASM could read or exfiltrate files. The skill itself does not request secrets, but runtime configuration can expose them.
Persistence & Privilege
always is false, the skill is user-invocable and does not request permanent inclusion or modifications to other skills or system-wide settings. It writes its WASM file to its own skill path per the examples, which is normal.
What to consider before installing
This skill appears to do what it says (sandboxed file ops), but it depends on downloading and running a WASM binary from a third-party GitHub raw URL at runtime with no checksum or source included. Before installing: (1) verify you trust the maintainer/repo (guyoung) and the specific WASM binary, (2) ask the author for a SHA256 checksum or signed release so you can verify integrity, (3) prefer skills that bundle the WASM or provide source code or reproducible builds, (4) avoid mapping sensitive host paths into mapDirs (do not map home, ssh keys, cloud credential locations, or other secrets), and (5) run first-time use in an isolated environment if possible. If the WASM were packaged with the skill or a checksum/signature were supplied, my concern would be reduced (verdict could move toward benign).Like a lobster shell, security has layers — review code before you run it.
latestvk97f2awj2d30012he1qs20b9sn84h0xt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.