Hardened Docker sandbox ΰΈͺΰΈ³ΰΈ«ΰΈ£ΰΈ±ΰΈ test security ΰΈΰΈΰΈ skill OpenKrab ΰΈΰΉΰΈΰΈΰΉΰΈΰΉΰΈΰΈ²ΰΈΰΈΰΈ£ΰΈ΄ΰΈ
A hardened Docker sandbox for testing OpenKrab skill security before production deployment.
ClawSandbox is a security-focused testing environment forked from deduu/ClawSandbox and customized for the OpenKrab ecosystem. It provides:
- 8 Security Benchmark Categories for comprehensive AI agent testing
- Docker Hardening with 7 security layers
- Local-First Testing before publishing to ClawHub
- ClawFlow Integration for automated security pipelines
- Docker Desktop (latest version, Compose enabled)
- Git
- (Optional) API keys for LLM testing (Gemini, OpenAI, Ollama)
# Clone the repository
git clone https://github.com/OpenKrab/ClawSandbox.git
cd ClawSandbox
# Build the hardened Docker image
cd docker
docker compose build
# Start the sandbox (isolated mode)
docker compose up -ddocker exec -it ClawSandbox bashcd /home/openclaw/tests
./run-all.sh| Category | Command |
|---|---|
| Reconnaissance | ./01-recon/recon.sh |
| Privilege Escalation | ./02-privilege-escalation/privesc.sh |
| Data Exfiltration | ./03-data-exfiltration/exfil.sh |
| Prompt Injection | See below |
| General Audit | ./05-general-audit/audit.sh |
| Memory Poisoning (Offline) | ./08-memory-poisoning/memory-poison-offline.sh |
-
Set up your API key:
export GEMINI_API_KEY="your-key-here" # OR scripts/setup-api-key.sh gemini YOUR_KEY
-
Run the test:
bash /home/openclaw/tests/04-prompt-injection/run-via-openclaw.sh
# Enable internet mode in docker-compose.yml first
bash /home/openclaw/tests/08-memory-poisoning/memory-poison-api.shClawSandbox implements 7 security layers by default:
- Non-root user - Runs as
openclaw(UID 999) - Drop all Linux capabilities - Minimal privileges
- Read-only root FS + tmpfs for writable directories
- No new privileges - Prevents privilege escalation
- Resource limits - 2 CPU cores / 2GB RAM
- Isolated network - No outbound connections by default
- No host mounts - Named volumes only
Results are stored in /tmp/results/ (tmpfs, cleared on restart):
# Inside container
find /tmp/results -type f
# Copy to host
docker cp ClawSandbox:/tmp/results ./local-resultsResults show attack success/failure rates (e.g., "7/9 tests passed").
Edit tests/04-prompt-injection/run-via-openclaw.sh to:
- Point API calls to Krab CLI or gateway
- Update system prompts to match Krab:
SYSTEM_PROMPT="You are Krab agent from OpenKrab..."
Mount your skill into the container:
# docker/docker-compose.yml
volumes:
- ../your-skill-folder:/home/openclaw/skills/claw-graphThen run relevant tests (e.g., memory poisoning for ClawMemory skills).
Add to your ClawFlow:
clawflow security-test <skill-name>This will:
- Spin up ClawSandbox container
- Install the skill
- Run subset tests (recon + prompt injection)
- Return security report
# Stop and remove containers
docker compose down
# Remove image (for fresh start)
docker rmi clawsandbox_clawsandbox- Run on isolated VM - Use Clawbox for macOS or a separate VPS
- Use frontier models - Test with Claude 4, Gemini 3+ for realistic results
- Badge your skills - Add "Passed ClawSandbox" badge to ClawHub listings
- Regular testing - Re-run benchmarks after skill updates
ClawSandbox/
βββ docker/
β βββ Dockerfile
β βββ docker-compose.yml
β βββ .dockerignore
βββ tests/
β βββ 01-recon/
β βββ 02-privilege-escalation/
β βββ 03-data-exfiltration/
β βββ 04-prompt-injection/
β βββ 05-general-audit/
β βββ 06-network-security/
β βββ 07-file-integrity/
β βββ 08-memory-poisoning/
β βββ run-all.sh
βββ scripts/
β βββ setup-api-key.sh
βββ results/ # Local results storage
βββ README.md
This project is forked from deduu/ClawSandbox and customized for the OpenKrab ecosystem.
MIT License - See LICENSE file for details.
- OpenKrab Organization
- Original ClawSandbox
- ClawHub (Skill Registry)
- ClawFlow (Automation Platform)
π¦ Secure Your Krab Skills with ClawSandbox π