首页 / 技能 / the-install-sandbox — the-安装-sandbox

📦 the-install-sandbox — the-安装-sandbox

v1.0.0

Sandbox and 扫描 ClawHub 技能s with 30+ security 检查s before 安装ation, providing PASS, 警告, or BLOCK verdicts based on severity scores.

0· 0·0 当前·0 累计
certainlogicai 头像by @certainlogicai
安全加密钉钉
下载技能包
0
安全扫描
VirusTotal
无害
查看报告
OpenClaw
可疑
medium confidence
The 技能's purpose (sandbox + 扫描器) matches its code, but there are multiple implementation inconsistencies and over状态d clAIms (isolated tmpfs, network-off, time limits, and a missing 安装 method) that mean the package is not what its README/技能.md promise without further review.
评估建议
This package 应用ears to implement a 扫描器 and sandbox and includes sensible 检测ion rules, but there are notable mismatches between what the docs promise and what the code implements. Before trusting it as your gating 工具: - Do not enable any auto-应用rove or automatic actions based solely on its 输出 until you confirm its behavior. - Manually review or 运行 the package locally: 运行 its tests and exercise 扫描/扫描-local flows (use copy_local) to 验证 behavior. The 命令行工具 references sandbox.安装_技能 which is missin...
详细分析 ▾
用途与能力
Name/description and the included 扫描器/sandbox code broadly align: patterns, 扫描器, 报告er, and policy exist and are coherent for a pre-安装 security 扫描器. However README/技能.md repeatedly clAIm a true tmpfs jAIl (50MB), network-off, time-limited sandbox and a remote fetch/安装 step. The Sandbox.创建() implementation merely makes a directory under the 系统 temp dir and does not mount tmpfs, enforce size limits, drop network, or implement timeouts/namespaces. 添加itionally, the 命令行工具 calls sandbox.安装_技能(slug, sandbox_id) but Sandbox has no 安装_技能 method. Also the registry metadata sAId 'instruction-only' yet the package contAIns 设置up.py and full source—this mismatch should be clarified.
指令范围
技能.md and README only instruct 扫描ning and viewing 报告s; they don't ask the 代理 to read unrelated user files or exfiltrate data. The 命令行工具 however describes a 'fetch remote 技能' flow which would require network 访问 and relies on a Sandbox.安装_技能 implementation that is missing. A prompt-injection pattern was 检测ed in the documentation/examples (likely as a 检测ion example), which could be confusing but is not an instruction to exfiltrate data.
安装机制
No 安装 spec in the registry metadata (instruction-only), but a standard 设置up.py is present and README shows pip/git 安装 options. There are no 下载s from arbitrary URLs or 提取-from-unknown-host operations. Dependencies are minimal (typer, colorama). The mismatch between 'instruction-only' metadata and present packaging code is worth asking about but not inherently unsafe.
凭证需求
The 技能 declares no required 环境 variables, 凭证s, or config paths. The code 扫描s for many 凭证 patterns (as expected for a 扫描器) but does not itself 请求 or try to read 环境 凭证s. No disproportionate secret 访问 is 请求ed.
持久化与权限
The 技能 does not 请求 always:true or elevated persistent privileges. It writes 报告s and policy under the user's ~/.config/the_安装_sandbox and uses a temp sandbox dir — this is reasonable for a 扫描器. It does not attempt to modify other 技能s or 系统-wide 代理 设置tings.
tests/fixtures/bad_skill/bad_script.py:9
Dynamic code execution 检测ed.
README.md:37
Prompt-injection style instruction pattern 检测ed.
安全有层次,运行前请审查代码。

运行时依赖

无特殊依赖

安装命令

点击复制
官方npx clawhub@latest install installsandbox
镜像加速npx clawhub@latest install installsandbox --registry https://cn.longxiaskill.com

技能文档

the-安装-sandbox

Sandbox and 扫描 ClawHub 技能s before 安装ation.

Quick Reference Want to... Do this 扫描 a 技能 the_安装_sandbox 扫描 <技能-dir> View last 报告 the_安装_sandbox 报告 设置 auto-应用rove threshold the_安装_sandbox policy --auto-应用rove 5 安装ation ClawHub 安装 certAIn记录icAI/the-安装-sandbox

Usage 扫描 a local 技能 the_安装_sandbox 扫描 /path/to/技能-dir

输出 shows PASS / 警告 / BLOCK verdict with score.

Scoring Severity Points CRITICAL 10 HIGH 5 MEDIUM 2 LOW 1 Score Verdict ≤10 PASS 11–20 警告 >20 BLOCK How It Works 创建 sandbox — isolated tmpfs directory (50MB) Copy 技能 into sandbox 运行 30+ security 检查s across 8 categories 生成 PASS / 警告 / BLOCK 报告 You decide whether to 安装 Exit Codes Code Meaning 0 PASS 1 BLOCK 2 警告 3 Error

数据来源ClawHub ↗ · 中文优化:龙虾技能库