Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Code Sandbox
v0.1.0Secure sandbox for executing Node.js, Python, Go, and Rust code with timeout, CPU, and isolated temporary directory constraints.
⭐ 0· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill advertises a 'secure sandbox' for multi-language execution, but the code shows process-level execution via shell commands (child_process.exec) rather than hardened isolation. The SKILL.md and TESTING.md emphasize security features, yet the implementation explicitly lists many missing protections (no Docker, no network isolation, no enforced memory limits). The claimed purpose (secure sandbox) is not matched by the current capabilities.
Instruction Scope
SKILL.md instructs installing and running the package locally (npm install, npm run demo). The runtime instructions and code write user-provided code to temporary directories and execute it with shell commands. There are no steps to strip or sanitize environment variables nor to restrict network/filesystem access. The documentation even warns 'NOT suitable for running untrusted code', which contradicts the top-level claim of a 'secure sandbox'.
Install Mechanism
There is no remote download/install spec in the registry metadata; installation is standard npm (package.json). package.json has no declared dependencies, so install risk is low. The skill is not pulling arbitrary archives or remote binaries.
Credentials
The skill declares no required environment variables, but the implementation passes the entire process.env into Node child processes (env: { ...process.env, NODE_ENV: 'sandbox' }) and other languages inherit the parent's env by default. This means any secrets in the agent/host environment (API keys, cloud creds, tokens) would be available to executed code — disproportionate to a safe sandbox and a serious confidentiality risk.
Persistence & Privilege
The skill does not request persistent privileges (always: false), does not declare required config paths or credentials, and does not modify other skills. It keeps execution history in-memory only. No excessive persistence or elevated platform privileges are requested.
What to consider before installing
This package is a prototype sandbox that runs user code by writing files and executing them via shell commands. Don't run untrusted code with it on any machine that holds secrets — the code intentionally (and by default) passes the host environment to child processes and has no network or filesystem isolation or enforced memory limits. If you consider installing or using it:
- Do not enable autonomous invocation for agents that have this skill without strict controls.
- Audit and remove exposure of sensitive environment variables before running (or run the sandbox with a deliberately empty env for child processes). Specifically, change child process env to a minimal whitelist (not ...process.env).
- Prefer running in a container/VM (Docker or isolated VM) with network disabled and resource quotas if you need to execute untrusted code.
- Review and harden executeWithTimeout behavior (exec spawns a shell; killing it may not kill grandchildren). Consider spawn with no shell, or use container runtime and process supervision.
- Because the SKILL.md itself warns this is not suitable for untrusted code, treat the project as experimental. If you cannot accept the risk of environment leakage or arbitrary process execution, do not install or run this skill on sensitive hosts.src/sandbox.js:227
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97ayve25zjjbz1xqm9c8fza5d83qaq1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.