← Back to Skills Marketplace
452
Downloads
0
Stars
1
Active Installs
12
Versions
Install in OpenClaw
/install skillshield-openclaw
Description
Sandboxed command runner for AI agents — validates and isolates every shell action inside a Bubblewrap user namespace.
README (SKILL.md)
skillshield
Sandboxed command runner for AI agents — validates and isolates every shell action inside a Bubblewrap user namespace.
SkillShield sits between your AI agent and the operating system. Before any shell command runs, a lightweight Rust daemon checks it against a set of safety rules and decides whether to allow it, sandbox it, or ask for your confirmation. Every decision is logged so you always know what happened.
What it does
- Validates commands — checks each shell request against configurable rules before execution.
- Isolates execution — runs approved commands inside a Bubblewrap sandbox with a minimal, read-only root filesystem.
- Limits repetition — stops agents that get stuck in a loop and start consuming too many resources.
- Logs decisions — every action (allowed, sandboxed, or paused for review) is recorded with structured metadata.
How to use
# Install from ClawHub
npx clawhub@latest install skillshield-openclaw
# Run a command through the safety layer
./skillshield-exec.sh "echo hello world"
Requirements
| Dependency | Purpose |
|---|---|
| Linux | User-namespace support |
bwrap |
Bubblewrap sandbox runtime |
cargo |
Builds the Rust daemon on first run |
Links
- Homepage: https://coinwin.info
- Marketplace: https://clawhub.ai/star8592/skillshield-openclaw
Usage Guidance
This skill appears to do what it says: build a local Rust daemon and run commands inside a Bubblewrap sandbox. Before installing, consider: 1) you will compile and run native code from an unverified source — inspect the source yourself or run it in an isolated VM/container if you don't trust the publisher; 2) the wrapper defaults to a unix socket but the daemon supports TCP binding via SKILLSHIELDD_BIND — avoid exposing it to the network unless you intend to and have secured it; 3) the tool writes logs and build artifacts into your XDG cache directory (~/.cache by default); 4) ensure your system supports user namespaces and Bubblewrap; and 5) verify the publisher/homepage and consider auditing the Cargo.toml/dependencies if you need higher assurance.
Capability Analysis
Type: OpenClaw Skill
Name: skillshield-openclaw
Version: 2.1.8
The skill is a legitimate security utility designed to sandbox AI agent shell commands using Bubblewrap (bwrap). It implements a Rust-based enforcement daemon (skillshieldd) that validates and isolates execution within a restricted user namespace (using --unshare-all and read-only binds). The provided bash wrapper (skillshield-exec.sh) manages the daemon lifecycle and communicates via a local Unix socket. No evidence of data exfiltration, malicious persistence, or unauthorized network activity was found; the code is well-structured and aligns perfectly with its stated purpose of enhancing agent safety.
Capability Assessment
Purpose & Capability
The declared purpose (validate and run shell commands in a Bubblewrap sandbox) matches the provided files and runtime behavior. The wrapper script checks for bwrap, cargo, curl and python3 and the Rust daemon implements a Bubblewrap executor. Required binaries (cargo, bwrap, curl, python3) are used by the wrapper and daemon and are proportionate to the task.
Instruction Scope
SKILL.md and skillshield-exec.sh instruct building a local daemon and forwarding commands via a unix-domain socket; the code only touches files inside the user's XDG cache directory for build artifacts, PID/log/socket. The daemon can be configured (via the SKILLSHIELDD_BIND env var) to bind TCP instead of a unix socket — the wrapper sets a unix socket by default, but the binary supports alternate (network) binding which expands its attack surface if misconfigured or run manually.
Install Mechanism
This is instruction-only (no marketplace install spec), but includes full Rust source and a wrapper that invokes cargo build on first run. Building and running supplied native code is coherent for this skill, but compiling unknown third-party code locally is a real risk because the resulting binary executes with your user privileges. The code itself contains no obvious exfiltration or remote endpoints.
Credentials
The skill does not require secrets or unrelated environment variables. The only meaningful env interaction is SKILLSHIELDD_BIND (used to choose unix vs tcp binding) and standard XDG_CACHE_HOME/$HOME for cache paths; these are consistent with a local daemon. No credentials or unrelated service tokens are requested.
Persistence & Privilege
always:false (not persisted system‑wide). The skill writes build artifacts, logs, pid and a unix socket into the user's cache directory and launches a user‑owned background daemon — this is expected for a local enforcement service. It does not modify other skills or system-wide agent settings. The ability to bind TCP (if env changed) increases privilege scope if misused.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install skillshield-openclaw - After installation, invoke the skill by name or use
/skillshield-openclaw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.1.8
v2.1.8: Simplify marketplace description. Neutral language.
v2.1.7
v2.1.7: Simplify descriptions to focus on user-facing problems. Remove technical jargon.
v2.1.6
v2.1.6: Simplify policy to pure sandbox-first approach. Remove unused fallback executor. Clean up all source files.
v2.1.5
v2.1.5: Rewrite documentation for clarity. Clean up policy reason strings.
v2.1.4
Tighten the bundled daemon: restart after rebuild, disable sandbox networking, and explicitly block outbound shell tooling.
v2.1.3
Ship a bundled Rust enforcement daemon and execute commands through bubblewrap instead of direct bash fallback.
v2.1.2
Update to reflect Rust/bwrap architecture.
v2.1.0
**skillshield-openclaw 2.1.0 changelog**
- SKILL.md updated: rewritten in English, clarified local-only scope and limitations, simplified risk claims.
- Added test-crawler.js for initial test or development purposes.
- config.json and skillshield-exec.sh updated for alignment with new documentation and policy.
- No changes to core wrapper logic; focus is on documentation clarity and transparency.
v1.0.4
Rewrote product messaging to focus on the top user problems solved: destructive commands, secret leakage, runaway loops, and missing audit visibility.
v1.0.3
Clarified local-only behavior, removed coercive wrapper language, removed eval, and improved scanner transparency.
v1.0.1
Local only free edition.
v1.0.0
Initial public release of SkillShield free edition.
Metadata
Frequently Asked Questions
What is Openclaw Skill?
Sandboxed command runner for AI agents — validates and isolates every shell action inside a Bubblewrap user namespace. It is an AI Agent Skill for Claude Code / OpenClaw, with 452 downloads so far.
How do I install Openclaw Skill?
Run "/install skillshield-openclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Openclaw Skill free?
Yes, Openclaw Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Openclaw Skill support?
Openclaw Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Openclaw Skill?
It is built and maintained by star8592 (@star8592); the current version is v2.1.8.
More Skills