← 返回 Skills 市场
Ppio Sandbox
作者
piston4711
· GitHub ↗
· v0.1.8
· MIT-0
315
总下载
0
收藏
1
当前安装
9
版本数
在 OpenClaw 中安装
/install ppio-sandbox
功能描述
Run browser operations and untrusted code in a secure PPIO cloud sandbox (Firecracker VM). Use when: (1) browsing any external URL or website, (2) executing...
安全使用建议
This skill implements a remote PPIO sandbox client and legitimately needs a PPIO API key and the ppio_sandbox Python package. However, the published metadata omits those required environment variables and package dependencies — that's a packaging/information mismatch you should address before trusting it. Before installing or using this skill: 1) Verify the ppio_sandbox package (version >=1.0.5) on PyPI and review its source; 2) Only set PPIO_API_KEY / E2B_API_KEY if you trust the PPIO provider (the key grants control over remote sandboxes and can be used to upload data); 3) Be cautious with upload/download commands — they can read local files and send them to the remote sandbox if you pass local paths; never export secrets or sensitive workspace files to the sandbox unless you explicitly intend to; 4) Confirm expected billing/costs for sandbox runtime (SKILL.md mentions per-second billing); 5) Prefer to request the registry owner update the skill manifest to declare required env vars and the ppio_sandbox dependency (so the manifest matches runtime behavior). If you need higher assurance, ask the publisher for a provenance link (homepage/repository) and/or a signed release of the ppio_sandbox dependency.
功能分析
Type: OpenClaw Skill
Name: ppio-sandbox
Version: 0.1.8
The ppio-sandbox skill is a security-focused tool designed to execute untrusted code and browse external URLs within isolated Firecracker microVMs. The implementation in `scripts/sandbox.py` is a straightforward CLI wrapper for the `ppio_sandbox` SDK, and the `SKILL.md` instructions explicitly guide the AI agent to use the sandbox for high-risk tasks while warning against uploading sensitive local credentials or triggering known system bugs (e.g., the `config.patch` gateway crash). No malicious patterns, such as unauthorized data exfiltration or host-level persistence, were detected.
能力评估
Purpose & Capability
Name, description, SKILL.md, and the included CLI (scripts/sandbox.py) all consistently implement a remote PPIO sandbox client (create/exec/read/write/upload/download/list/kill). That functionality reasonably requires a PPIO API key and a Python SDK. However, the registry metadata declares no required environment variables or primary credential even though the code and instructions demand PPIO_API_KEY/E2B_API_KEY; this mismatch is unexpected and should have been declared.
Instruction Scope
SKILL.md instructs the agent to install and use the ppio_sandbox SDK and to export PPIO_API_KEY/E2B_API_KEY; the CLI supports uploading arbitrary local files to the sandbox (cmd_upload reads local files with open()) and downloading files back. The skill warns not to operate on the user's local workspace, yet the CLI provides explicit upload/download operations — this gives the skill (when invoked) the ability to exfiltrate local files if misused. The instructions also reference avoiding config.patch (gateway crash) and tell the agent not to modify the bundled script, which is reasonable but indicates tight coupling with platform behavior.
Install Mechanism
Registry install metadata only ensures python3 (brew/apt). The SKILL.md requires pip installing ppio_sandbox>=1.0.5 (via requirements.txt). Installing a third-party Python package from PyPI is a moderate-risk action (downloads and executes third-party code). The install sources are standard (PyPI), not an arbitrary URL, but the registry metadata failing to declare the package dependency is a packaging inconsistency.
Credentials
The runtime requires PPIO_API_KEY / E2B_API_KEY (explicit in SKILL.md and scripts) to contact the PPIO cloud; that credential is proportionate to the claimed purpose (remote sandbox control). However, the skill registry declares no required env vars/primary credential. The omission is important because the skill will fail or request secrets at runtime — and the API key grants control over remote sandboxes and could be used to transmit/upload local data. The user should treat the API key as sensitive and verify trust in the PPIO provider.
Persistence & Privilege
The skill is not always-enabled and can be invoked by the user; it does not request elevated platform privileges in the manifest. It does write/read local files only when the user explicitly runs upload/download commands (the CLI uses open() on user-provided paths). There is no evidence it modifies other skills or global agent config. Autonomous invocation (disable-model-invocation=false) is normal for skills; on its own this is not a flag.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ppio-sandbox - 安装完成后,直接呼叫该 Skill 的名称或使用
/ppio-sandbox触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.8
Completely disable CDP mode. OpenClaw bug confirmed: config.patch unconditionally sends SIGUSR1 even with gateway.reload=hot (SIGUSR1 bypasses reload mode via separate restart-C7ane9OU.js code path). Removed all CDP sections. All browsing now via Exec mode only (curl/puppeteer/playwright). Added interactive page example with puppeteer script pattern. Rule 10: NEVER call config.patch for any reason.
v0.1.7
Add two-step browser mode decision: Step 1 judges by task type (prefer Exec/curl for text-only tasks, CDP only for interactive/visual tasks), Step 2 checks gateway.reload safety. Reduces unnecessary CDP usage and token costs.
v0.1.6
Explicitly forbid agent from using config.patch to modify gateway.reload or any gateway.* settings. Agent was self-modifying gateway.reload via config.patch which triggered SIGUSR1 crash. Added Rule 10 and multiple warnings: only user can manually edit openclaw.json for gateway settings.
v0.1.5
Setup Step 4: change from optional recommendation to REQUIRED user decision during install. Agent must present CDP vs Exec mode choice and wait for user response before proceeding. CDP remains blocked unless user explicitly configures gateway.reload=hot.
v0.1.4
Harden browser mode selection: CDP mode is now FORBIDDEN unless gateway.reload is "hot". Added Setup Step 4 requiring user to configure gateway.reload before CDP is available. Exec mode is the safe default. Prevents gateway crash from unconditional SIGUSR1 on config.patch.
v0.1.3
ppio-sandbox 0.1.3
- Added _meta.json metadata file.
- Expanded SKILL.md instructions with detailed browser sandbox mode selection (CDP mode vs. Exec mode).
- Added gateway config guidance: check `gateway.reload` value and prompt user if a restart is required for full CDP browser access.
- Provided user-choice dialog for safer browsing tool experience.
- Clarified setup and added explicit workflow for both browser automation modes.
v0.1.2
Fix: use _create() for auto_pause support on PyPI version (1.0.5), pin SDK version correctly
v0.1.1
Pin SDK version (ppio_sandbox>=1.1.2b1), prevent agent from modifying sandbox.py
v0.1.0
Initial release: browser-chromium + code-interpreter-v1 templates, auto-pause lifecycle, cost-aware agent rules, CDP browser integration
元数据
常见问题
Ppio Sandbox 是什么?
Run browser operations and untrusted code in a secure PPIO cloud sandbox (Firecracker VM). Use when: (1) browsing any external URL or website, (2) executing... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 315 次。
如何安装 Ppio Sandbox?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ppio-sandbox」即可一键安装,无需额外配置。
Ppio Sandbox 是免费的吗?
是的,Ppio Sandbox 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Ppio Sandbox 支持哪些平台?
Ppio Sandbox 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Ppio Sandbox?
由 piston4711(@piston4711)开发并维护,当前版本 v0.1.8。
推荐 Skills