← 返回 Skills 市场
Docker Sandbox Lucas
作者
LucasSeeley
· GitHub ↗
· v1.0.1
1164
总下载
0
收藏
5
当前安装
2
版本数
在 OpenClaw 中安装
/install docker-sandbox-lucas
功能描述
Create and manage Docker sandboxed VM environments for safe agent execution. Use when running untrusted code, exploring packages, or isolating agent workloads. Supports Claude, Codex, Copilot, Gemini, and Kiro agents with network proxy controls.
使用说明 (SKILL.md)
Docker Sandbox
Run agents and commands in isolated VM environments using Docker Desktop's sandbox feature. Each sandbox gets its own lightweight VM with filesystem isolation, network proxy controls, and workspace mounting via virtiofs.
When to Use
- Exploring untrusted packages or skills before installing them system-wide
- Running arbitrary code from external sources safely
- Testing destructive operations without risking the host
- Isolating agent workloads that need network access controls
- Setting up reproducible environments for experiments
Requirements
- Docker Desktop 4.49+ with the
docker sandboxplugin - Verify:
docker sandbox version
Quick Start
Create a sandbox for the current project
docker sandbox create --name my-sandbox claude .
This creates a VM-isolated sandbox with:
- The current directory mounted via virtiofs
- Node.js, git, and standard dev tools pre-installed
- Network proxy with allowlist controls
Run commands inside
docker sandbox exec my-sandbox node --version
docker sandbox exec my-sandbox npm install -g some-package
docker sandbox exec -w /path/to/workspace my-sandbox bash -c "ls -la"
Run an agent directly
# Create and run in one step
docker sandbox run claude . -- -p "What files are in this project?"
# Run with agent arguments after --
docker sandbox run my-sandbox -- -p "Analyze this codebase"
Commands Reference
Lifecycle
# Create a sandbox (agents: claude, codex, copilot, gemini, kiro, cagent)
docker sandbox create --name \x3Cname> \x3Cagent> \x3Cworkspace-path>
# Run an agent in sandbox (creates if needed)
docker sandbox run \x3Cagent> \x3Cworkspace> [-- \x3Cagent-args>...]
docker sandbox run \x3Cexisting-sandbox> [-- \x3Cagent-args>...]
# Execute a command
docker sandbox exec [options] \x3Csandbox> \x3Ccommand> [args...]
-e KEY=VAL # Set environment variable
-w /path # Set working directory
-d # Detach (background)
-i # Interactive (keep stdin open)
-t # Allocate pseudo-TTY
# Stop without removing
docker sandbox stop \x3Csandbox>
# Remove (destroys VM)
docker sandbox rm \x3Csandbox>
# List all sandboxes
docker sandbox ls
# Reset all sandboxes
docker sandbox reset
# Save snapshot as reusable template
docker sandbox save \x3Csandbox>
Network Controls
The sandbox includes a network proxy for controlling outbound access.
# Allow specific domains
docker sandbox network proxy \x3Csandbox> --allow-host example.com
docker sandbox network proxy \x3Csandbox> --allow-host api.github.com
# Block specific domains
docker sandbox network proxy \x3Csandbox> --block-host malicious.com
# Block IP ranges
docker sandbox network proxy \x3Csandbox> --block-cidr 10.0.0.0/8
# Bypass proxy for specific hosts (direct connection)
docker sandbox network proxy \x3Csandbox> --bypass-host localhost
# Set default policy (allow or deny all by default)
docker sandbox network proxy \x3Csandbox> --policy deny # Block everything, then allowlist
docker sandbox network proxy \x3Csandbox> --policy allow # Allow everything, then blocklist
# View network activity
docker sandbox network log \x3Csandbox>
Custom Templates
# Use a custom container image as base
docker sandbox create --template my-custom-image:latest claude .
# Save current sandbox state as template for reuse
docker sandbox save my-sandbox
Workspace Mounting
The workspace path on the host is mounted into the sandbox via virtiofs. The mount path inside the sandbox preserves the host path structure:
| Host OS | Host Path | Sandbox Path |
|---|---|---|
| Windows | H:\Projects\my-app |
/h/Projects/my-app |
| macOS | /Users/me/projects/my-app |
/Users/me/projects/my-app |
| Linux | /home/me/projects/my-app |
/home/me/projects/my-app |
The agent's home directory is /home/agent/ with a symlinked workspace/ directory.
Environment Inside the Sandbox
Each sandbox VM includes:
- Node.js (v20.x LTS)
- Git (latest)
- Python (system)
- curl, wget, standard Linux utilities
- npm (global install directory at
/usr/local/share/npm-global/) - Docker socket (at
/run/docker.sock- Docker-in-Docker capable)
Proxy Configuration (auto-set)
HTTP_PROXY=http://host.docker.internal:3128
HTTPS_PROXY=http://host.docker.internal:3128
NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/proxy-ca.crt
SSL_CERT_FILE=/usr/local/share/ca-certificates/proxy-ca.crt
Important: Node.js fetch (undici) does NOT respect HTTP_PROXY env vars by default. For npm packages that use fetch, create a require hook:
// /tmp/proxy-fix.js
const proxy = process.env.HTTPS_PROXY || process.env.HTTP_PROXY;
if (proxy) {
const { ProxyAgent } = require('undici');
const agent = new ProxyAgent(proxy);
const origFetch = globalThis.fetch;
globalThis.fetch = function(url, opts = {}) {
return origFetch(url, { ...opts, dispatcher: agent });
};
}
Run with: node -r /tmp/proxy-fix.js your-script.js
Patterns
Safe Package Exploration
# Create isolated sandbox
docker sandbox create --name pkg-test claude .
# Restrict network to only npm registry
docker sandbox network proxy pkg-test --policy deny
docker sandbox network proxy pkg-test --allow-host registry.npmjs.org
docker sandbox network proxy pkg-test --allow-host api.npmjs.org
# Install and inspect the package
docker sandbox exec pkg-test npm install -g suspicious-package
docker sandbox exec pkg-test bash -c "find /usr/local/share/npm-global/lib/node_modules/suspicious-package -name '*.js' | head -20"
# Check for post-install scripts, network calls, file access
docker sandbox network log pkg-test
# Clean up
docker sandbox rm pkg-test
Persistent Dev Environment
# Create once
docker sandbox create --name dev claude ~/projects/my-app
# Use across sessions
docker sandbox exec dev npm test
docker sandbox exec dev npm run build
# Save as template for team sharing
docker sandbox save dev
Locked-Down Agent Execution
# Deny-all network, allow only what's needed
docker sandbox create --name secure claude .
docker sandbox network proxy secure --policy deny
docker sandbox network proxy secure --allow-host api.openai.com
docker sandbox network proxy secure --allow-host github.com
# Run agent with restrictions
docker sandbox run secure -- -p "Review this code for security issues"
Troubleshooting
"client version X is too old"
Update Docker Desktop to 4.49+. The sandbox plugin requires engine API v1.44+.
"fetch failed" inside sandbox
Node.js fetch doesn't use the proxy. Use the proxy-fix.js require hook above, or use curl instead:
docker sandbox exec my-sandbox curl -sL https://api.example.com/data
Path conversion on Windows (Git Bash / MSYS2)
Git Bash converts /path to C:/Program Files/Git/path. Prefix commands with:
MSYS_NO_PATHCONV=1 docker sandbox exec my-sandbox ls /home/agent
Sandbox won't start after Docker update
docker sandbox reset # Clears all sandbox state
安全使用建议
This skill appears to implement Docker-based sandboxes as advertised, but you should treat its 'safe' claims cautiously. Before using: 1) Confirm you trust Docker Desktop's sandbox implementation and the version requirement. 2) Avoid forwarding the host Docker socket into sandboxes unless you understand the implications — access to /run/docker.sock lets processes control the host Docker daemon and break containment. 3) Be careful which host directories you mount; do not mount sensitive paths (home/.ssh, credentials, system dirs). 4) When testing untrusted code, prefer deny-by-default network policy with explicit allowlists and avoid allowing access to internal services. 5) If you need stronger guarantees, run untrusted workloads in an isolated VM/instance that does not expose the host docker daemon or host filesystem. 6) Because this is instruction-only and has no source/homepage, consider testing the workflow in a disposable environment first and verify behavior (what files are visible inside the sandbox, whether docker.sock is actually present) before using with real secrets or valuable host resources.
功能分析
Type: OpenClaw Skill
Name: docker-sandbox-lucas
Version: 1.0.1
The skill is designed to create and manage isolated Docker sandboxes for safe execution of untrusted code, explicitly stating its purpose is to enhance security. It primarily documents and provides an interface to the `docker sandbox` CLI tool, including features for network access control and workspace mounting. There is no evidence of prompt injection attempting to subvert the agent for malicious purposes, nor any instructions for data exfiltration, persistence, or unauthorized execution on the host system. The presence of the Docker socket inside the sandbox is for Docker-in-Docker functionality within the isolated VM, consistent with its stated purpose of providing a secure environment.
能力评估
Purpose & Capability
Name and description (create/manage Docker sandboxes) match the runtime instructions: the skill requires the docker binary and uses 'docker sandbox' commands. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
The SKILL.md explicitly describes mounting host workspaces into sandboxes (virtiofs) and provides that sandboxes include a Docker socket at /run/docker.sock (Docker-in-Docker capable). Both of these are normal for some sandbox workflows but directly weaken isolation: mounting arbitrary host paths grants sandbox access to host files, and exposing docker.sock enables container escape and host control. Those behaviors conflict with the 'safe' framing and should be treated as dangerous unless carefully constrained (strict allowlists, no mounting of sensitive paths, and no forwarding of host docker socket). The instructions also advise setting network proxies and allow/block lists — appropriate, but network controls alone do not mitigate the docker.sock or mount risks.
Install Mechanism
Instruction-only skill; no install steps or external downloads. This minimizes on-disk risk because nothing is added by the skill itself.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md suggests setting environment variables inside the sandbox (HTTP_PROXY, etc.), which is reasonable and proportional. There is no unexplained request for unrelated secrets.
Persistence & Privilege
always:false and no install are appropriate. However, the operational model (creating sandboxes that mount host paths and may forward /run/docker.sock) effectively grants created sandboxes high privileges over the host while they exist. The skill itself does not request persistent platform privileges, but following its instructions can produce high-impact privileges on the host.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install docker-sandbox-lucas - 安装完成后,直接呼叫该 Skill 的名称或使用
/docker-sandbox-lucas触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Updated meta file formatting; no user-facing changes.
- Clarified or standardized metadata structure for consistency.
v1.0.0
Lucas fork of docker-sandbox
元数据
常见问题
Docker Sandbox Lucas 是什么?
Create and manage Docker sandboxed VM environments for safe agent execution. Use when running untrusted code, exploring packages, or isolating agent workloads. Supports Claude, Codex, Copilot, Gemini, and Kiro agents with network proxy controls. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1164 次。
如何安装 Docker Sandbox Lucas?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install docker-sandbox-lucas」即可一键安装,无需额外配置。
Docker Sandbox Lucas 是免费的吗?
是的,Docker Sandbox Lucas 完全免费(开源免费),可自由下载、安装和使用。
Docker Sandbox Lucas 支持哪些平台?
Docker Sandbox Lucas 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, darwin, win32)。
谁开发了 Docker Sandbox Lucas?
由 LucasSeeley(@lucasseeley)开发并维护,当前版本 v1.0.1。
推荐 Skills