← 返回 Skills 市场
trypto1019

Skill Sandbox

作者 ArcSelf · GitHub ↗ · v1.1.0
darwinlinux ⚠ suspicious
869
总下载
1
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install arc-skill-sandbox
功能描述
Test untrusted skills in an isolated environment before installing. Monitors network access, filesystem writes, environment variable reads, and subprocess ca...
使用说明 (SKILL.md)

Skill Sandbox

Run untrusted skills in a monitored environment. See exactly what they do before giving them access to your real system.

Why This Exists

ClawHub has hundreds of skills. Some are malicious. Even after scanning with arc-skill-scanner, you can't catch everything with static analysis. The sandbox lets you run a skill's scripts and observe their behavior at runtime — what network calls they make, what files they access, what environment variables they read.

Commands

Sandbox a skill directory

python3 {baseDir}/scripts/sandbox.py run --path ~/.openclaw/skills/some-skill/

Run a specific script in sandbox

python3 {baseDir}/scripts/sandbox.py run --script ~/.openclaw/skills/some-skill/scripts/main.py

Run with network monitoring

python3 {baseDir}/scripts/sandbox.py run --path ~/.openclaw/skills/some-skill/ --monitor-network

Run with fake environment variables

python3 {baseDir}/scripts/sandbox.py run --path ~/.openclaw/skills/some-skill/ --fake-env

Run with a time limit

python3 {baseDir}/scripts/sandbox.py run --path ~/.openclaw/skills/some-skill/ --timeout 30

Generate a safety report

python3 {baseDir}/scripts/sandbox.py report --path ~/.openclaw/skills/some-skill/

What It Monitors

Filesystem Access

  • Files opened (read/write)
  • Directories created
  • File deletions
  • Permission changes

Environment Variables

  • Which env vars are read
  • Whether sensitive keys are accessed (API keys, tokens, passwords)
  • Option to inject fake values to see what the skill does with them

Network Activity

  • Outbound HTTP/HTTPS requests (URLs, methods, payloads)
  • DNS lookups
  • Socket connections
  • FTP, SMTP, and other protocols

Process Execution

  • Subprocess calls
  • Shell commands
  • Dynamic imports

Safety Modes

  • observe (default) — Run the skill and log everything it does. No restrictions.
  • restricted — Block network access and filesystem writes outside a temp directory.
  • honeypot — Provide fake credentials and endpoints to see if the skill tries to exfiltrate.

Output

The sandbox produces a JSON report with:

  • All filesystem operations (reads, writes, deletes)
  • All environment variable accesses
  • All network connections attempted
  • All subprocess calls
  • Warnings for suspicious patterns
  • A safety verdict (SAFE / SUSPICIOUS / DANGEROUS)

Integration

Combine with the workflow orchestrator for automated pre-install checks:

scan skill → sandbox run → review report → install if safe → audit log

Limitations

  • Python skills only (JavaScript/shell support planned)
  • Cannot catch all evasion techniques (obfuscated or delayed execution)
  • Network monitoring requires the skill to use standard Python libraries
  • Not a true OS-level sandbox (use Docker for that level of isolation)
安全使用建议
This tool mostly does what it says (it checks Python skill code and emits a report), but be cautious: 1) 'observe' mode runs the skill with your real environment and no restrictions — that can let a malicious skill read or exfiltrate secrets; prefer using --fake-env or the 'restricted' mode. 2) The script's monitoring is limited: running the skill as a subprocess means the monitor cannot always see every env read or low-level socket operation, and the tool itself warns it is not an OS-level sandbox. 3) Do not rely solely on the sandbox verdict — inspect the generated JSON report and the skill's source yourself, and consider running untrusted skills inside a real container/VM (Docker) or isolated machine for high-risk cases. 4) If you need stronger guarantees (preventing native code, ctypes, exec/fork, raw sockets, or kernel-level side-channels), use Docker/VM-based isolation rather than this Python-based sandbox.
功能分析
Type: OpenClaw Skill Name: arc-skill-sandbox Version: 1.1.0 This skill bundle implements a security sandbox designed to monitor and analyze the behavior of other untrusted skills. All observed 'risky' capabilities, such as logging filesystem operations, environment variable access, network calls, and subprocess execution (in `scripts/sandbox.py`), are explicitly part of its stated purpose to detect malicious activity in *other* skills. The inclusion of fake credentials (e.g., `sk-fake-sandbox-key-do-not-use`) is a honeypot mechanism to test the sandboxed skill's intent, not an attempt to steal real credentials. The `SKILL.md` documentation clearly outlines its defensive purpose, and the code demonstrates robust isolation techniques (subprocess execution, sanitized environment) to prevent sandbox escapes. There is no evidence of intentional harmful behavior by this skill itself.
能力评估
Purpose & Capability
Name/description match what the package contains: a Python script for running and analyzing other Python skill code. Requiring python3 and referencing skill directories in the user's home is consistent with a tool that runs and inspects skill code.
Instruction Scope
SKILL.md claims comprehensive monitoring of filesystem, env reads, network and subprocesses. The implementation mixes subprocess isolation and in-process monitoring primitives; when it runs the skill as a separate subprocess (its stated default safe approach) it cannot directly observe which environment keys the child process reads unless additional instrumentation is injected into the child. The code also logs the injection of fake credentials as warnings immediately (monitor.warn on injection), which could be misleading because injection ≠ access. The default 'observe' mode runs the skill with no restrictions and could allow real secrets or network exfiltration — this conflicts with the 'safe' implication in the description.
Install Mechanism
No install spec; instruction-only plus a Python script. This is low-risk from an installation standpoint (nothing downloaded or auto-installed).
Credentials
The skill requests no external credentials and only requires python3, which is proportional. However, because SKILL.md's default observe mode runs a skill with the host environment and the tool logs environment variable access only under certain modes, a user following the docs could inadvertently expose real credentials or files. The script injects a fixed set of 'fake' keys (OpenAI, Anthropic, GitHub, AWS, etc.) which is sensible for testing, but injection is logged as a warning immediately regardless of whether the child actually reads them, creating potential false positives or misleading traces.
Persistence & Privilege
No always:true or other elevated persistence requested. The skill is user-invocable and not force-included. Normal autonomous invocation is allowed by platform defaults but is not a new concern here.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install arc-skill-sandbox
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /arc-skill-sandbox 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.1.0
arc-skill-sandbox 1.1.0 - Updated scripts/sandbox.py (details not included). - No user-facing documentation changes.
v1.0.1
- Updated scripts/sandbox.py. - No changes to documentation or user-facing features. - Version bump to 1.0.1.
v1.0.0
Initial release of skill-sandbox: safely test untrusted skills in a monitored environment. - Run and monitor skills before installing to protect your agent’s data and credentials. - Tracks filesystem changes, environment variable access, network activity, and subprocess calls. - Offers multiple safety modes (observe, restricted, honeypot) to control and observe behavior. - Produces detailed JSON safety reports highlighting suspicious or risky actions. - Python-only for now; additional language support planned in future versions.
元数据
Slug arc-skill-sandbox
版本 1.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 3
常见问题

Skill Sandbox 是什么?

Test untrusted skills in an isolated environment before installing. Monitors network access, filesystem writes, environment variable reads, and subprocess ca... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 869 次。

如何安装 Skill Sandbox?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install arc-skill-sandbox」即可一键安装,无需额外配置。

Skill Sandbox 是免费的吗?

是的,Skill Sandbox 完全免费(开源免费),可自由下载、安装和使用。

Skill Sandbox 支持哪些平台?

Skill Sandbox 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(darwin, linux)。

谁开发了 Skill Sandbox?

由 ArcSelf(@trypto1019)开发并维护,当前版本 v1.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论