2.5k
GitHub Stars
3
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill openclaw/skills --skill sandwrap- _meta.json274 B
- CLAWHUB-README.md2.1 KB
- SKILL.md3.1 KB
Overview
This skill wraps untrusted skills in a lightweight, prompt-based soft-sandbox to reduce prompt-injection and misuse. It applies five layered defenses to block roughly 85% of attempted attacks while preserving useful functionality. Use it to run third-party or unknown skills safely, or to test new skills before granting trust.
How this skill works
Sandwrap generates a fresh random token per session and encloses untrusted content in unpredictable delimiters to prevent delimiter-guessing attacks. It enforces a hierarchy of instructions, restricts available tools per preset, requires human approval for sensitive actions, and verifies outputs for exfiltration or instruction leakage before any effect is taken. Auto-sandboxing can trigger based on configured risk thresholds and logs denied tool attempts and suspicious behavior.
When to use it
- Running third-party skills from unknown or unvetted sources
- Processing untrusted content that could contain prompt-injection payloads
- Analyzing suspicious files, URLs, or web content safely
- Testing or auditing new skills before expanding privileges
- Automatically wrapping skills marked as risky in configuration
Best practices
- Choose the strictest preset that still allows necessary work (read-only or full-isolate for highest safety)
- Enable auto-sandbox for categories of skills you don’t fully trust and tune the risk threshold as you learn threat patterns
- Require human approval for sensitive outputs and clearly surface why approval is needed
- Monitor logs for repeated denied attempts and update anti-bypass rules when new patterns appear
- Avoid using sandwrap for highly sensitive secrets or adversarial analysis that requires system-level isolation
Example use cases
- Open-source skill from an unvetted author: run it in sandwrap read-only for code inspection
- Crawling a suspicious website: use the web-only preset to prevent local file access
- Security audit of a third-party analyzer: run with the audit preset and store results in sandbox-output/
- Automated CI testing for new community skills: enable auto-wrap for a probationary period
- Exploratory analysis of unknown files: use full-isolate so the skill can only reason without tool access
FAQ
Sandwrap’s multi-layer defenses block about 85% of common prompt-injection and bypass techniques, but it is not a substitute for system-level sandboxing for high-risk workflows.
Can sandwrap run any skill automatically?
Yes — you can configure auto-sandbox rules and a default preset in sandbox-config.json; risky or listed skills will be wrapped automatically, with human approval requested for sensitive actions.