Skill Sandbox
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill has a coherent security-testing purpose, but it asks users to run untrusted code locally while its default mode has no restrictions and its safety claims are stronger than the stated containment.
Review before installing. This appears to be a legitimate sandbox/monitoring tool, but do not assume it safely contains hostile code. Run unknown skills only inside Docker, a VM, or another disposable environment, and avoid the default unrestricted observe mode for anything you do not already trust.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious skill tested in the default mode could still perform actions allowed by the user's local OS permissions, such as reading files, writing files, or making network requests.
The skill's central workflow is to execute untrusted skill code, and the documented default mode explicitly does not restrict what that code can do.
**observe** (default) — Run the skill and log everything it does. No restrictions.
Do not run untrusted skills in the default observe mode on a real workstation; use a disposable VM/container or an actually restricted sandbox, plus fake credentials and a timeout.
Users may over-trust the sandbox and run malicious skills on their main machine, believing their files and credentials are fully protected.
This broad safety claim is stronger than the documented limitations, including unrestricted default execution and the statement that it is not a true OS-level sandbox.
Run any skill safely without risking your agent's data or credentials.
Treat this as a monitoring aid, not a guarantee of safe execution; the skill should make restricted or containerized execution the default and describe its limits more prominently.