← Back to Skills Marketplace
trypto1019

Skill Sandbox

by ArcSelf · GitHub ↗ · v1.1.0
darwinlinux ⚠ suspicious
869
Downloads
1
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install arc-skill-sandbox
Description
Test untrusted skills in an isolated environment before installing. Monitors network access, filesystem writes, environment variable reads, and subprocess ca...
README (SKILL.md)

Skill Sandbox

Run untrusted skills in a monitored environment. See exactly what they do before giving them access to your real system.

Why This Exists

ClawHub has hundreds of skills. Some are malicious. Even after scanning with arc-skill-scanner, you can't catch everything with static analysis. The sandbox lets you run a skill's scripts and observe their behavior at runtime — what network calls they make, what files they access, what environment variables they read.

Commands

Sandbox a skill directory

python3 {baseDir}/scripts/sandbox.py run --path ~/.openclaw/skills/some-skill/

Run a specific script in sandbox

python3 {baseDir}/scripts/sandbox.py run --script ~/.openclaw/skills/some-skill/scripts/main.py

Run with network monitoring

python3 {baseDir}/scripts/sandbox.py run --path ~/.openclaw/skills/some-skill/ --monitor-network

Run with fake environment variables

python3 {baseDir}/scripts/sandbox.py run --path ~/.openclaw/skills/some-skill/ --fake-env

Run with a time limit

python3 {baseDir}/scripts/sandbox.py run --path ~/.openclaw/skills/some-skill/ --timeout 30

Generate a safety report

python3 {baseDir}/scripts/sandbox.py report --path ~/.openclaw/skills/some-skill/

What It Monitors

Filesystem Access

  • Files opened (read/write)
  • Directories created
  • File deletions
  • Permission changes

Environment Variables

  • Which env vars are read
  • Whether sensitive keys are accessed (API keys, tokens, passwords)
  • Option to inject fake values to see what the skill does with them

Network Activity

  • Outbound HTTP/HTTPS requests (URLs, methods, payloads)
  • DNS lookups
  • Socket connections
  • FTP, SMTP, and other protocols

Process Execution

  • Subprocess calls
  • Shell commands
  • Dynamic imports

Safety Modes

  • observe (default) — Run the skill and log everything it does. No restrictions.
  • restricted — Block network access and filesystem writes outside a temp directory.
  • honeypot — Provide fake credentials and endpoints to see if the skill tries to exfiltrate.

Output

The sandbox produces a JSON report with:

  • All filesystem operations (reads, writes, deletes)
  • All environment variable accesses
  • All network connections attempted
  • All subprocess calls
  • Warnings for suspicious patterns
  • A safety verdict (SAFE / SUSPICIOUS / DANGEROUS)

Integration

Combine with the workflow orchestrator for automated pre-install checks:

scan skill → sandbox run → review report → install if safe → audit log

Limitations

  • Python skills only (JavaScript/shell support planned)
  • Cannot catch all evasion techniques (obfuscated or delayed execution)
  • Network monitoring requires the skill to use standard Python libraries
  • Not a true OS-level sandbox (use Docker for that level of isolation)
Usage Guidance
This tool mostly does what it says (it checks Python skill code and emits a report), but be cautious: 1) 'observe' mode runs the skill with your real environment and no restrictions — that can let a malicious skill read or exfiltrate secrets; prefer using --fake-env or the 'restricted' mode. 2) The script's monitoring is limited: running the skill as a subprocess means the monitor cannot always see every env read or low-level socket operation, and the tool itself warns it is not an OS-level sandbox. 3) Do not rely solely on the sandbox verdict — inspect the generated JSON report and the skill's source yourself, and consider running untrusted skills inside a real container/VM (Docker) or isolated machine for high-risk cases. 4) If you need stronger guarantees (preventing native code, ctypes, exec/fork, raw sockets, or kernel-level side-channels), use Docker/VM-based isolation rather than this Python-based sandbox.
Capability Analysis
Type: OpenClaw Skill Name: arc-skill-sandbox Version: 1.1.0 This skill bundle implements a security sandbox designed to monitor and analyze the behavior of other untrusted skills. All observed 'risky' capabilities, such as logging filesystem operations, environment variable access, network calls, and subprocess execution (in `scripts/sandbox.py`), are explicitly part of its stated purpose to detect malicious activity in *other* skills. The inclusion of fake credentials (e.g., `sk-fake-sandbox-key-do-not-use`) is a honeypot mechanism to test the sandboxed skill's intent, not an attempt to steal real credentials. The `SKILL.md` documentation clearly outlines its defensive purpose, and the code demonstrates robust isolation techniques (subprocess execution, sanitized environment) to prevent sandbox escapes. There is no evidence of intentional harmful behavior by this skill itself.
Capability Assessment
Purpose & Capability
Name/description match what the package contains: a Python script for running and analyzing other Python skill code. Requiring python3 and referencing skill directories in the user's home is consistent with a tool that runs and inspects skill code.
Instruction Scope
SKILL.md claims comprehensive monitoring of filesystem, env reads, network and subprocesses. The implementation mixes subprocess isolation and in-process monitoring primitives; when it runs the skill as a separate subprocess (its stated default safe approach) it cannot directly observe which environment keys the child process reads unless additional instrumentation is injected into the child. The code also logs the injection of fake credentials as warnings immediately (monitor.warn on injection), which could be misleading because injection ≠ access. The default 'observe' mode runs the skill with no restrictions and could allow real secrets or network exfiltration — this conflicts with the 'safe' implication in the description.
Install Mechanism
No install spec; instruction-only plus a Python script. This is low-risk from an installation standpoint (nothing downloaded or auto-installed).
Credentials
The skill requests no external credentials and only requires python3, which is proportional. However, because SKILL.md's default observe mode runs a skill with the host environment and the tool logs environment variable access only under certain modes, a user following the docs could inadvertently expose real credentials or files. The script injects a fixed set of 'fake' keys (OpenAI, Anthropic, GitHub, AWS, etc.) which is sensible for testing, but injection is logged as a warning immediately regardless of whether the child actually reads them, creating potential false positives or misleading traces.
Persistence & Privilege
No always:true or other elevated persistence requested. The skill is user-invocable and not force-included. Normal autonomous invocation is allowed by platform defaults but is not a new concern here.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install arc-skill-sandbox
  3. After installation, invoke the skill by name or use /arc-skill-sandbox
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
arc-skill-sandbox 1.1.0 - Updated scripts/sandbox.py (details not included). - No user-facing documentation changes.
v1.0.1
- Updated scripts/sandbox.py. - No changes to documentation or user-facing features. - Version bump to 1.0.1.
v1.0.0
Initial release of skill-sandbox: safely test untrusted skills in a monitored environment. - Run and monitor skills before installing to protect your agent’s data and credentials. - Tracks filesystem changes, environment variable access, network activity, and subprocess calls. - Offers multiple safety modes (observe, restricted, honeypot) to control and observe behavior. - Produces detailed JSON safety reports highlighting suspicious or risky actions. - Python-only for now; additional language support planned in future versions.
Metadata
Slug arc-skill-sandbox
Version 1.1.0
License
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is Skill Sandbox?

Test untrusted skills in an isolated environment before installing. Monitors network access, filesystem writes, environment variable reads, and subprocess ca... It is an AI Agent Skill for Claude Code / OpenClaw, with 869 downloads so far.

How do I install Skill Sandbox?

Run "/install arc-skill-sandbox" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Skill Sandbox free?

Yes, Skill Sandbox is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Skill Sandbox support?

Skill Sandbox is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).

Who created Skill Sandbox?

It is built and maintained by ArcSelf (@trypto1019); the current version is v1.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments