Docker Sandbox Lucas — Docker沙盒环境管理

Name: Docker Sandbox Lucas — Docker沙盒环境管理
Author: lucasseeley

lucasseeley

🐳 Docker Sandbox Lucas — Docker沙盒环境管理

v1.0.1

创建和管理Docker沙盒化VM环境，用于安全执行代理。适用于运行不受信任代码、探索包或隔离代理工作负载。支持Claude、Codex、Copilot、Gemini和Kiro代理，具有网络代理控制。

0· 1,100·0 当前·0 累计

by @lucasseeley·MIT-0

文档工具云服务代码生成智能体 AI模型访问

下载技能包项目主页

License

MIT-0

最后更新

2026/2/12

安全扫描

VirusTotal

无害

查看报告

OpenClaw

可疑

medium confidence

技能指令与声明目的基本一致，但部分指导（如暴露主机Docker套接字和将主机工作空间挂载到沙盒）与所谓的'安全'隔离不一致，显著提高了特权逃脱风险。

评估建议

该技能实现了Docker-based沙盒，如宣称，但应谨慎对待其'安全'声明。使用前请：1) 确认信任Docker Desktop的沙盒实现和版本要求；2) 除非了解含义，否则避免将主机Docker套接字转发到沙盒；3) 小心选择挂载的主机目录，避免敏感路径；4) 测试不受信任代码时，使用默认拒绝的网络策略和明确的允许列表；5) 如果需要更强的保证，请在不暴露主机Docker守护进程或主机文件系统的隔离VM/实例中运行不受信任的工作负载；6) 由于这是指令-only且没有源/主页，请先在可丢弃环境中测试工作流，验证行为（沙盒内可见文件、是否实际存在docker.sock）后再使用真实秘密或宝贵主机资源。...

详细分析 ▾

✓ 用途与能力

名称和描述（创建/管理Docker沙盒）与运行时指令匹配：该技能需要docker二进制文件并使用'docker sandbox'命令。没有请求无关的凭据、二进制文件或安装。

⚠ 指令范围

SKILL.md明确描述了将主机工作空间挂载到沙盒（virtiofs）并提供沙盒包含Docker套接字at /run/docker.sock（Docker-in-Docker功能）。这两点对于某些沙盒工作流是正常的，但直接削弱了隔离：挂载任意主机路径授予沙盒访问主机文件的权限，暴露docker.sock启用容器逃脱和主机控制。这些行为与'安全'框架冲突，除非受到仔细约束（严格允许列表、不挂载敏感路径、不转发主机docker套接字），否则应视为危险。指令还建议设置网络代理和允许/阻塞列表——适当，但仅网络控制无法缓解docker.sock或挂载风险。

✓ 安装机制

指令-only技能；无安装步骤或外部下载。由于技能本身没有添加任何内容，因此最小化了磁盘风险。

✓ 凭证需求

该技能未声明任何必需的环境变量或凭据。SKILL.md建议在沙盒内设置环境变量（HTTP_PROXY等），这是合理和比例的。没有解释的无关秘密请求。

ℹ 持久化与权限

always:false和无安装是合适的。然而，操作模型（创建挂载主机路径的沙盒并可能转发/run/docker.sock）有效地在沙盒存在期间授予其对主机的高特权。技能本身不请求持久平台特权，但遵循其指令可以在主机上产生高影响特权。

安装前注意事项

确认信任Docker Desktop的沙盒实现和版本要求。
除非了解含义，否则避免将主机Docker套接字转发到沙盒。
小心选择挂载的主机目录，避免敏感路径（如home/.ssh、凭据、系统目录）。
测试不受信任代码时，使用默认拒绝的网络策略和明确的允许列表，避免允许访问内部服务。
如果需要更强的保证，请在不暴露主机Docker守护进程或主机文件系统的隔离VM/实例中运行不受信任的工作负载。
由于这是指令-only且没有源/主页，请先在可丢弃环境中测试工作流，验证行为（沙盒内可见文件、是否实际存在docker.sock）后再使用真实秘密或宝贵主机资源。

安全有层次，运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发，无需署名。

查看条款 ↗

运行时依赖

🖥️ OSLinux · macOS · Windows

版本

latestv1.0.12026/2/12

● 无害

安装命令点击复制

官方npx clawhub@latest install docker-sandbox-lucas

镜像加速npx clawhub@latest install docker-sandbox-lucas --registry https://cn.clawhub-mirror.com

技能文档

（由于原始内容过长且包含代码块、命令行指令和Markdown格式，以下为简略中文翻译，保留关键信息）

name: docker-sandbox-lucas description: 创建和管理Docker沙盒化VM环境，用于安全执行代理。支持Claude、Codex、Copilot、Gemini和Kiro代理，具有网络代理控制。

# Docker沙盒Lucas 运行代理和命令在隔离的VM环境中使用Docker Desktop的沙盒功能。每个沙盒获取自己的轻量级VM，具有文件系统隔离、网络代理控制和通过virtiofs的工作空间挂载。

使用场景

探索不受信任的包或技能
安全运行外部代码
测试破坏性操作
隔离代理工作负载
设置可复制的环境

快速开始

创建沙盒、执行命令、运行代理等（详见原始指令）

命令参考

生命周期命令、网络控制、自定义模板等（详见原始指令）

模式

安全包探索、持久开发环境、锁定代理执行等（详见原始指令）

故障排除

更新Docker Desktop、处理fetch失败、路径转换等（详见原始指令）

Run agents and commands in isolated VM environments using Docker Desktop's sandbox feature. Each sandbox gets its own lightweight VM with filesystem isolation, network proxy controls, and workspace mounting via virtiofs.

When to Use

Exploring untrusted packages or skills before installing them system-wide
Running arbitrary code from external sources safely
Testing destructive operations without risking the host
Isolating agent workloads that need network access controls
Setting up reproducible environments for experiments

Requirements

Docker Desktop 4.49+ with the docker sandbox plugin
Verify: docker sandbox version

Quick Start

Create a sandbox for the current project

docker sandbox create --name my-sandbox claude .

This creates a VM-isolated sandbox with:

The current directory mounted via virtiofs
Node.js, git, and standard dev tools pre-installed
Network proxy with allowlist controls

Run commands inside

docker sandbox exec my-sandbox node --version
docker sandbox exec my-sandbox npm install -g some-package
docker sandbox exec -w /path/to/workspace my-sandbox bash -c "ls -la"

Run an agent directly

# Create and run in one step docker sandbox run claude . -- -p "What files are in this project?"

# Run with agent arguments after -- docker sandbox run my-sandbox -- -p "Analyze this codebase"

Commands Reference

Lifecycle

# Create a sandbox (agents: claude, codex, copilot, gemini, kiro, cagent)
docker sandbox create --name   
# Run an agent in sandbox (creates if needed)
docker sandbox run   [-- ...]
docker sandbox run  [-- ...]
# Execute a command
docker sandbox exec [options]   [args...]
  -e KEY=VAL          # Set environment variable
  -w /path            # Set working directory
  -d                  # Detach (background)
  -i                  # Interactive (keep stdin open)
  -t                  # Allocate pseudo-TTY
# Stop without removing
docker sandbox stop 
# Remove (destroys VM)
docker sandbox rm 
# List all sandboxes
docker sandbox ls
# Reset all sandboxes
docker sandbox reset# Save snapshot as reusable template
docker sandbox save

Network Controls

The sandbox includes a network proxy for controlling outbound access.

# Allow specific domains docker sandbox network proxy --allow-host example.com docker sandbox network proxy --allow-host api.github.com # Block specific domains docker sandbox network proxy --block-host malicious.com # Block IP ranges docker sandbox network proxy --block-cidr 10.0.0.0/8 # Bypass proxy for specific hosts (direct connection) docker sandbox network proxy --bypass-host localhost # Set default policy (allow or deny all by default) docker sandbox network proxy --policy deny # Block everything, then allowlist docker sandbox network proxy --policy allow # Allow everything, then blocklist

# View network activity docker sandbox network log

Custom Templates

# Use a custom container image as base docker sandbox create --template my-custom-image:latest claude .

# Save current sandbox state as template for reuse docker sandbox save my-sandbox

Workspace Mounting

The workspace path on the host is mounted into the sandbox via virtiofs. The mount path inside the sandbox preserves the host path structure:

Host OS	Host Path	Sandbox Path
Windows	`H:\Projects\my-app`	`/h/Projects/my-app`
macOS	`/Users/me/projects/my-app`	`/Users/me/projects/my-app`
Linux	`/home/me/projects/my-app`	`/home/me/projects/my-app`

The agent's home directory is /home/agent/ with a symlinked workspace/ directory.

Environment Inside the Sandbox

Each sandbox VM includes:

Node.js (v20.x LTS)
Git (latest)
Python (system)
curl, wget, standard Linux utilities
npm (global install directory at /usr/local/share/npm-global/)
Docker socket (at /run/docker.sock - Docker-in-Docker capable)

Proxy Configuration (auto-set)

HTTP_PROXY=http://host.docker.internal:3128
HTTPS_PROXY=http://host.docker.internal:3128
NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/proxy-ca.crt
SSL_CERT_FILE=/usr/local/share/ca-certificates/proxy-ca.crt

Important: Node.js fetch (undici) does NOT respect HTTP_PROXY env vars by default. For npm packages that use fetch, create a require hook:

// /tmp/proxy-fix.js
const proxy = process.env.HTTPS_PROXY || process.env.HTTP_PROXY;
if (proxy) {
  const { ProxyAgent } = require('undici');
  const agent = new ProxyAgent(proxy);
  const origFetch = globalThis.fetch;
  globalThis.fetch = function(url, opts = {}) {
    return origFetch(url, { ...opts, dispatcher: agent });
  };
}

Run with: node -r /tmp/proxy-fix.js your-script.js

Patterns

Safe Package Exploration

# Create isolated sandbox
docker sandbox create --name pkg-test claude .
# Restrict network to only npm registry
docker sandbox network proxy pkg-test --policy deny
docker sandbox network proxy pkg-test --allow-host registry.npmjs.org
docker sandbox network proxy pkg-test --allow-host api.npmjs.org
# Install and inspect the package
docker sandbox exec pkg-test npm install -g suspicious-package
docker sandbox exec pkg-test bash -c "find /usr/local/share/npm-global/lib/node_modules/suspicious-package -name '*.js' | head -20"
# Check for post-install scripts, network calls, file access
docker sandbox network log pkg-test# Clean up
docker sandbox rm pkg-test

Persistent Dev Environment

# Create once docker sandbox create --name dev claude ~/projects/my-app # Use across sessions docker sandbox exec dev npm test docker sandbox exec dev npm run build

# Save as template for team sharing docker sandbox save dev

Locked-Down Agent Execution

# Deny-all network, allow only what's needed docker sandbox create --name secure claude . docker sandbox network proxy secure --policy deny docker sandbox network proxy secure --allow-host api.openai.com docker sandbox network proxy secure --allow-host github.com

# Run agent with restrictions docker sandbox run secure -- -p "Review this code for security issues"

Troubleshooting

"client version X is too old"

Update Docker Desktop to 4.49+. The sandbox plugin requires engine API v1.44+.

"fetch failed" inside sandbox

Node.js fetch doesn't use the proxy. Use the proxy-fix.js require hook above, or use curl instead:

docker sandbox exec my-sandbox curl -sL https://api.example.com/data

Path conversion on Windows (Git Bash / MSYS2)

Git Bash converts /path to C:/Program Files/Git/path. Prefix commands with:

MSYS_NO_PATHCONV=1 docker sandbox exec my-sandbox ls /home/agent

Sandbox won't start after Docker update

docker sandbox reset  # Clears all sandbox state

数据来源：ClawHub ↗ · 中文优化：龙虾技能库

OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险，如需更匹配、更安全的方案，建议联系付费定制

了解定制服务

License

运行时依赖

版本

安装命令 点击复制

技能文档

使用场景

快速开始

命令参考

模式

故障排除

When to Use

Requirements

Quick Start

Create a sandbox for the current project

Run commands inside

Run an agent directly

Commands Reference

Lifecycle

Network Controls

Custom Templates

Workspace Mounting

Environment Inside the Sandbox

Proxy Configuration (auto-set)

Patterns

Safe Package Exploration

Persistent Dev Environment

Locked-Down Agent Execution

Troubleshooting

"client version X is too old"

"fetch failed" inside sandbox

Path conversion on Windows (Git Bash / MSYS2)

Sandbox won't start after Docker update

安装命令点击复制