Skill Sandbox
Sandboxed installation pipeline for ClawHub skills. Install → Stage → Scan → Promote or Quarantine.
Quick Start
CODEBLOCK0
How It Works
- 1. Stage — Skill is installed to
skills/_staging/<name> (never directly to live) - Scan — 5-layer automated security scan runs:
- File inventory (hidden files, symlinks, binaries)
- Code pattern analysis (eval, exec, network calls, secret access, obfuscation)
- SKILL.md instruction review (dangerous agent directives)
- Dependency check (package.json install scripts, known-risky deps)
- Publisher verification (metadata, origin registry)
- 3. Verdict:
- ✅
PASS (0 findings) → auto-promoted to
skills/
- ⚠️
WARN (warnings only) → quarantined, manual review recommended
- ❌
FAIL (critical findings) → quarantined, deep audit required
Scan Details
Critical Findings (auto-quarantine)
- -
eval(), new Function() — dynamic code execution - Symlinks — path traversal risk
- INLINECODE4� /
preinstall scripts in package.json — npm supply chain vector - Dangerous SKILL.md instructions (disable security, exfiltrate, reverse shells, chmod 777)
Warning Findings (review recommended)
- - Network calls (
fetch, curl, axios, http) - Shell execution (
child_process, exec, spawn, subprocess) - Environment/secret access (
process.env, API_KEY, TOKEN) - Base64 encoding patterns (potential obfuscation)
- File system writes
- Hidden files (excluding
.clawhub/) - Non-text binary files
Integration with Agent Workflows
For teams using security auditor agents (like Sentinel), the recommended flow:
- 1. Run
skill-sandbox.sh for the fast automated scan - If WARN or FAIL → spawn your security agent for a deep LLM-powered audit of the staged files
- After agent clears it → �INLINECODE19
Directory Structure
CODEBLOCK1
Notes
- - The
_staging/ directory should be added to �INLINECODE21 - Clean skills auto-promote — no manual step needed for safe installs
- The script returns exit codes: 0 (pass/warn), 2 (fail) for CI integration
- All scan patterns are static regex — no network calls, no external dependencies
技能沙箱
ClawHub技能的沙箱化安装流程。安装 → 暂存 → 扫描 → 提升或隔离。
快速开始
bash
安装一个技能(暂存、扫描、若干净则自动提升)
bash {baseDir}/scripts/skill-sandbox.sh <技能名称>
安装特定版本
bash {baseDir}/scripts/skill-sandbox.sh <技能名称> --version 1.2.0
强制安装(绕过来自clawhub的VirusTotal标记)
bash {baseDir}/scripts/skill-sandbox.sh <技能名称> --force
重新扫描已暂存的技能
bash {baseDir}/scripts/skill-sandbox.sh <技能名称> --scan-only
手动审查后提升已隔离的技能
bash {baseDir}/scripts/skill-sandbox.sh <技能名称> --promote
列出所有已隔离的技能
bash {baseDir}/scripts/skill-sandbox.sh --list-staged
工作原理
- 1. 暂存 — 技能安装到 skills/_staging/<名称>(从不直接安装到生产环境)
- 扫描 — 运行5层自动化安全扫描:
- 文件清单(隐藏文件、符号链接、二进制文件)
- 代码模式分析(eval、exec、网络调用、密钥访问、混淆)
- SKILL.md指令审查(危险代理指令)
- 依赖检查(package.json安装脚本、已知风险依赖)
- 发布者验证(元数据、来源注册表)
- 3. 判定结果:
- ✅
通过(0个发现)→ 自动提升到 skills/
- ⚠️
警告(仅警告)→ 隔离,建议手动审查
- ❌
失败(严重发现)→ 隔离,需深度审计
扫描详情
严重发现(自动隔离)
- - eval()、new Function() — 动态代码执行
- 符号链接 — 路径遍历风险
- package.json中的postinstall/preinstall脚本 — npm供应链向量
- 危险的SKILL.md指令(禁用安全、数据外泄、反向Shell、chmod 777)
警告发现(建议审查)
- - 网络调用(fetch、curl、axios、http)
- Shell执行(childprocess、exec、spawn、subprocess)
- 环境/密钥访问(process.env、APIKEY、TOKEN)
- Base64编码模式(潜在混淆)
- 文件系统写入
- 隐藏文件(排除.clawhub/)
- 非文本二进制文件
与代理工作流的集成
对于使用安全审计代理(如Sentinel)的团队,推荐流程如下:
- 1. 运行 skill-sandbox.sh 进行快速自动化扫描
- 如果结果为警告或失败 → 启动安全代理对暂存文件进行深度LLM驱动的审计
- 代理确认安全后 → 执行 skill-sandbox.sh <名称> --promote
目录结构
skills/
├── _staging/ ← 隔离区(被git忽略)
│ └── <技能>/ ← 被标记的技能在此驻留直至提升
├── skill-sandbox/ ← 本技能
│ ├── SKILL.md
│ └── scripts/
│ └── skill-sandbox.sh
└── <其他技能>/ ← 已提升(生产环境)的技能
注意事项
- - _staging/ 目录应添加到 .gitignore
- 干净的技能自动提升 — 安全安装无需手动步骤
- 脚本返回退出码:0(通过/警告)、2(失败),用于CI集成
- 所有扫描模式均为静态正则表达式 — 无网络调用,无外部依赖
