sandwrap_skill

This skill safely wraps untrusted skills with multi-layer prompt defenses to block most attacks and reduce risk.
  • Python

2.5k

GitHub Stars

3

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill openclaw/skills --skill sandwrap

  • _meta.json274 B
  • CLAWHUB-README.md2.1 KB
  • SKILL.md3.1 KB

Overview

This skill wraps untrusted skills in a lightweight, prompt-based soft-sandbox to reduce prompt-injection and misuse. It applies five layered defenses to block roughly 85% of attempted attacks while preserving useful functionality. Use it to run third-party or unknown skills safely, or to test new skills before granting trust.

How this skill works

Sandwrap generates a fresh random token per session and encloses untrusted content in unpredictable delimiters to prevent delimiter-guessing attacks. It enforces a hierarchy of instructions, restricts available tools per preset, requires human approval for sensitive actions, and verifies outputs for exfiltration or instruction leakage before any effect is taken. Auto-sandboxing can trigger based on configured risk thresholds and logs denied tool attempts and suspicious behavior.

When to use it

  • Running third-party skills from unknown or unvetted sources
  • Processing untrusted content that could contain prompt-injection payloads
  • Analyzing suspicious files, URLs, or web content safely
  • Testing or auditing new skills before expanding privileges
  • Automatically wrapping skills marked as risky in configuration

Best practices

  • Choose the strictest preset that still allows necessary work (read-only or full-isolate for highest safety)
  • Enable auto-sandbox for categories of skills you don’t fully trust and tune the risk threshold as you learn threat patterns
  • Require human approval for sensitive outputs and clearly surface why approval is needed
  • Monitor logs for repeated denied attempts and update anti-bypass rules when new patterns appear
  • Avoid using sandwrap for highly sensitive secrets or adversarial analysis that requires system-level isolation

Example use cases

  • Open-source skill from an unvetted author: run it in sandwrap read-only for code inspection
  • Crawling a suspicious website: use the web-only preset to prevent local file access
  • Security audit of a third-party analyzer: run with the audit preset and store results in sandbox-output/
  • Automated CI testing for new community skills: enable auto-wrap for a probationary period
  • Exploratory analysis of unknown files: use full-isolate so the skill can only reason without tool access

FAQ

Sandwrap’s multi-layer defenses block about 85% of common prompt-injection and bypass techniques, but it is not a substitute for system-level sandboxing for high-risk workflows.

Can sandwrap run any skill automatically?

Yes — you can configure auto-sandbox rules and a default preset in sandbox-config.json; risky or listed skills will be wrapped automatically, with human approval requested for sensitive actions.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational