Skillv1.0.0

ClawScan security

Multi-Agent Sandbox · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 5:31 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions match the declared goal of building a multi-host sandbox, but they require high‑privilege host changes (systemd services, firewall rules, persistent network bridges) and enable broad agent capabilities (exec/process, sessions_send) without declaring credentials — this combination is coherent for the feature but risky and deserves careful review before installation.
Guidance: This skill appears to do what it says, but it requires you to make host‑level, persistent changes (systemd services, firewall rules, network bridges) and to give sandbox agents many powerful capabilities (exec/process, sessions_send). Before installing: (1) only run this on a dedicated host or VM you control; do not use your main agent host; (2) restrict socat binds to the smallest necessary IPs and verify the exact unit files before enabling them; (3) use per‑agent Discord bot tokens with minimal scopes and do not reuse main agent credentials; (4) limit sandbox tool allowlists — remove exec/process or reduce workspace access if possible; (5) use Tailscale ACLs/exit node settings to restrict routes and audit connections; (6) rebuild and inspect the sandbox Docker image locally (avoid pulling unvetted images); and (7) log and monitor the created services and network flows so you can quickly revoke access. If you are unsure about any host commands or the source of this skill, ask the author for justification, a threat model, or a reviewed implementation before proceeding.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes exactly the advertised purpose: creating Docker sandbox agents that communicate cross‑gateway via Discord, socat bridges, and Tailscale. The requested actions (adding SSH client to the image, creating socat bridges, configuring Tailscale, and per-agent allowlists) are consistent with that purpose. However, some required host actions (systemd services and firewall rules) are high privilege — they are explainable by the stated architecture but are substantial and should be expected only if you intend to modify host networking.
Instruction Scope: concernThe runtime instructions direct the operator to perform host‑level changes: create systemd units, modify ufw rules, bind network listeners on the host's docker0 interface, and rebuild/force‑remove containers. They also instruct enabling powerful sandbox tools (exec, process, read, write, apply_patch, sessions_send, sessions_spawn). These steps go beyond simply configuring an isolated container and create persistent bridging paths between containers, host, VPS, and external gateways — increasing the risk of unintended data exposure or lateral access if misconfigured.
Install Mechanism: okThis is an instruction‑only skill (no install spec, no code files), so there is no automated download or archive extraction risk from the skill itself. The risk comes from the manual commands it instructs you to run on your systems.
Credentials: concernThe skill requires external credentials and services in practice (Discord bot tokens, a Tailscale network, and a shared VPS) but declares no required environment variables in metadata. Asking operators to provision Discord bot tokens and Tailscale is reasonable for the described feature, but the skill also recommends enabling many powerful agent tools and cross‑agent allowlists, increasing the chance of sensitive data flow. The absence of declared env vars is an inconsistency that reduces transparency.
Persistence & Privilege: concernThe instructions create long‑running host services (systemd socat units) and firewall rules that persist beyond a single agent session, establishing continuous network bridges between local containers, host, and a remote VPS. Although the skill is not flagged 'always:true', these persistent host changes effectively grant ongoing network access and increase the blast radius if an agent or image is compromised. The skill also advocates wide tool permissions (sessions_spawn, sessions_send) which can create long‑lived A2A channels.