Powershell Sandbox
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill claims to safely sandbox PowerShell, but the actual sandbox implementation is missing and its safety/test claims are not supported by the provided artifacts.
Do not use this as a sandbox for untrusted PowerShell unless the missing src/sandbox.ps1 file and meaningful tests are provided and reviewed. If you experiment, only run trusted scripts, require explicit approval for execution, prefer a VM or OS sandbox, and check what is written to .learnings/sandbox-log.md.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may believe they are installing a sandbox, but the artifact set does not include the code that would provide the advertised protections.
The documentation identifies src/sandbox.ps1 as the core sandbox executor, but the provided file manifest contains only package.json, SKILL.md, test/sandbox.test.js, and TEST_RESULTS.md. The core enforcement code is absent.
src/\n│ ├── sandbox.ps1 # 沙箱执行器(核心)
Do not rely on this skill for untrusted PowerShell scripts until the missing sandbox implementation and real tests are supplied and reviewed.
If an agent or user treats this as a verified sandbox, untrusted PowerShell could be run with insufficient containment.
The skill tells the agent to invoke a local PowerShell script through exec. Local script execution is high-impact, and the sandbox file meant to constrain it is missing from the artifacts.
exec(\n command: '.\\skills\\powershell-sandbox\\src\\sandbox.ps1 -ScriptPath "C:\\Users\\99236\\.openclaw\\workspace\\scripts\\user-script.ps1"',\n timeout: 60\n)
Require explicit user approval before any PowerShell execution, run only trusted scripts, and use a real OS-level sandbox or VM until the implementation is available.
The wording could cause users to over-trust the skill for running untrusted scripts.
The test results make strong safety claims even though the supplied artifacts lack the core sandbox implementation, and the included JS test can pass while reporting that the sandbox script is not found.
Status: ✅ ALL TESTS PASSED ... Recommendations\n\n1. ✅ Ready for production use ... 2. ✅ Safe for untrusted scripts
Treat the production and safety claims as unverified unless backed by the actual sandbox source and tests that exercise the real controls.
Script activity may be stored locally and could later be read or reused by the agent environment.
The documentation says executions should be logged to a persistent .learnings file, which may retain script paths, commands, outputs, or other sensitive details.
审计所有执行 - 记录到 `.learnings/sandbox-log.md`
Avoid running scripts containing secrets, and define clear retention, redaction, and review rules for the audit log.