ClawHub

Skill Sandbox

v1.0.0

Sandboxed ClawHub skill installation with automated security scanning. Use when: (1) Installing any new skill from ClawHub, (2) Auditing an already-installed...

0· 352·5 current·5 all-time
byDon Zurbrick@zurbrick

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zurbrick/skill-sandbox.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Sandbox" (zurbrick/skill-sandbox) from ClawHub.
Skill page: https://clawhub.ai/zurbrick/skill-sandbox
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-sandbox

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-sandbox
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description claim a 'sandboxed' installation pipeline and 'no network calls / no external dependencies', but the script calls an external 'clawhub' installer (which will perform network operations and may run package install scripts) and relies on tools like jq/file/grep. The required binaries/environment are not declared, so requested actions are disproportionate to the metadata.
!
Instruction Scope
SKILL.md instructs the agent to run the included shell script which runs 'clawhub install' into a staging dir. That installer can execute a target skill's install/postinstall hooks on the host (not in an isolated container), so the actual runtime behavior can execute arbitrary code outside the intended scan. The script does not create a true sandbox (no chroot/namespace/container), and SKILL.md's 'no network calls' claim is inaccurate.
Install Mechanism
There is no external install spec for this skill itself (instruction-only with an included script), so nothing is downloaded by the skill at install time. The risk comes from the script invoking external installers (clawhub) at runtime rather than from an installer URL embedded in the skill.
!
Credentials
The skill declares no required env vars or binaries, yet the script expects OPENCLAW_WORKSPACE (optional), and depends on external binaries (clawhub, jq, file, grep, find, sed, mv, rm, etc.) and on network access. It also provides a --force option to bypass VirusTotal flags which can override upstream protections—this capability is powerful and not justified in the metadata.
Persistence & Privilege
always:false and no autonomous-disable flags—normal. The script can move staged skills into the live skills directory (promote) and will replace existing live skills; that is expected for a promote tool but be aware it can overwrite live skills when invoked with --promote. It does not request persistent platform-wide privileges or modify other skills' configs programmatically.
What to consider before installing
This skill appears to implement a staging-and-scan workflow, but several mismatches mean you should be cautious before using it as your safety guard: 1) It is not a true sandbox — the script runs 'clawhub install', which will perform network installs and may execute target skill install/postinstall hooks on your host. Run this in an isolated VM/container if you want protection. 2) The SKILL.md claims 'no network calls' and 'no external dependencies', which is false: ensure the host has and trusts 'clawhub', 'jq', and standard Unix tools the script uses. 3) The script offers a '--force' flag that bypasses VirusTotal checks—avoid using --force unless you fully trust the publisher. 4) The skill does not declare required binaries or environment variables (e.g., jq, file, clawhub, OPENCLAW_WORKSPACE), so inventory and install those dependencies manually in a safe environment. 5) Prefer running with '--scan-only' first and reviewing the staged files manually (or with an LLM-auditor) before promoting. If you lack a safe sandbox, do not run this on production hosts; instead run it inside an ephemeral VM or container and verify behavior and outputs before trusting automatic promotion.

Like a lobster shell, security has layers — review code before you run it.

latestvk973zxehf4rcdtjv3py30xq95s82dbb7
352downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
Don Zurbrick@zurbrick
latest
Download

Skill Sandbox

Sandboxed installation pipeline for ClawHub skills. Install → Stage → Scan → Promote or Quarantine.

Quick Start

# Install a skill (stages, scans, auto-promotes if clean)
bash {baseDir}/scripts/skill-sandbox.sh <skill-name>

# Install a specific version
bash {baseDir}/scripts/skill-sandbox.sh <skill-name> --version 1.2.0

# Force install (bypass VirusTotal flags from clawhub)
bash {baseDir}/scripts/skill-sandbox.sh <skill-name> --force

# Re-scan a staged skill
bash {baseDir}/scripts/skill-sandbox.sh <skill-name> --scan-only

# Promote a quarantined skill after manual review
bash {baseDir}/scripts/skill-sandbox.sh <skill-name> --promote

# List all quarantined skills
bash {baseDir}/scripts/skill-sandbox.sh --list-staged

How It Works

  1. Stage — Skill is installed to skills/_staging/<name> (never directly to live)
  2. Scan — 5-layer automated security scan runs:
    • File inventory (hidden files, symlinks, binaries)
    • Code pattern analysis (eval, exec, network calls, secret access, obfuscation)
    • SKILL.md instruction review (dangerous agent directives)
    • Dependency check (package.json install scripts, known-risky deps)
    • Publisher verification (metadata, origin registry)
  3. Verdict:
    • PASS (0 findings) → auto-promoted to skills/
    • ⚠️ WARN (warnings only) → quarantined, manual review recommended
    • FAIL (critical findings) → quarantined, deep audit required

Scan Details

Critical Findings (auto-quarantine)

  • eval(), new Function() — dynamic code execution
  • Symlinks — path traversal risk
  • postinstall / preinstall scripts in package.json — npm supply chain vector
  • Dangerous SKILL.md instructions (disable security, exfiltrate, reverse shells, chmod 777)

Warning Findings (review recommended)

  • Network calls (fetch, curl, axios, http)
  • Shell execution (child_process, exec, spawn, subprocess)
  • Environment/secret access (process.env, API_KEY, TOKEN)
  • Base64 encoding patterns (potential obfuscation)
  • File system writes
  • Hidden files (excluding .clawhub/)
  • Non-text binary files

Integration with Agent Workflows

For teams using security auditor agents (like Sentinel), the recommended flow:

  1. Run skill-sandbox.sh for the fast automated scan
  2. If WARN or FAIL → spawn your security agent for a deep LLM-powered audit of the staged files
  3. After agent clears it → skill-sandbox.sh <name> --promote

Directory Structure

skills/
├── _staging/          ← quarantine area (gitignored)
│   └── <skill>/       ← flagged skills live here until promoted
├── skill-sandbox/     ← this skill
│   ├── SKILL.md
│   └── scripts/
│       └── skill-sandbox.sh
└── <other-skills>/    ← promoted (live) skills

Notes

  • The _staging/ directory should be added to .gitignore
  • Clean skills auto-promote — no manual step needed for safe installs
  • The script returns exit codes: 0 (pass/warn), 2 (fail) for CI integration
  • All scan patterns are static regex — no network calls, no external dependencies

Comments

Loading comments...