Is chriopter/sandboxer-tmux safe?
https://github.com/openclaw/skills/tree/main/skills/chriopter/sandboxer-tmux
This skill is a purely instructional markdown file documenting a localhost tmux session management API (Sandboxer). It contains no executable code and exhibited clean installation behavior. However, it introduces significant security concerns: it instructs agents to read potentially untrusted CLAUDE.md files from workspaces (indirect prompt injection), documents a notify_url parameter that could exfiltrate data to external endpoints, and normalizes root-level unauthenticated access as the default operating mode.
Category Scores
Findings (8)
HIGH Indirect prompt injection via workspace file reading -25 ▶
The skill explicitly instructs the agent to 'Always read CLAUDE.md / AGENTS.md in both workspace AND repo before dispatching work to a session.' This creates a reliable indirect prompt injection vector — any malicious repository cloned into /root/workspaces/*/data/repos/ could contain a poisoned CLAUDE.md that overrides agent behavior, exfiltrates data, or escalates privileges through the Sandboxer API itself.
HIGH notify_url enables exfiltration to arbitrary external endpoints -15 ▶
The POST /api/create endpoint accepts a notify_url parameter that triggers an HTTP callback when a session finishes. An attacker (or compromised agent) could set this to an external URL, potentially including session output or metadata in the callback payload. This provides a built-in mechanism for data exfiltration that bypasses typical content inspection.
HIGH Root access and no-auth model normalized as default -15 ▶
The skill presents root access and zero authentication as the standard operating mode: 'agents run with root access' and 'No auth needed from localhost.' While intended for dedicated machines, injecting these expectations into an agent's system prompt normalizes insecure access patterns that could carry over to other environments or be exploited by prompt injection.
MEDIUM Unrestricted workspace file read/write API -15 ▶
The GET/POST /api/workspace/W/file/PATH endpoint provides unrestricted file access across all agent workspaces. Combined with the terminal capture API, this gives the agent (or anyone instructing it) access to MEMORY.md, SOUL.md, USER.md, and all project source code without path restrictions or access controls.
MEDIUM Full terminal capture exposes session secrets -10 ▶
The /api/capture endpoint returns the complete terminal output of any session. Sessions running as root may display environment variables, API keys, database credentials, or other secrets that appeared in terminal output during execution.
MEDIUM Skill acts as force multiplier for other attack vectors -20 ▶
This skill is benign in isolation but dramatically amplifies the impact of any other vulnerability. A compromised or malicious co-installed skill that can generate curl commands gains full system control through Sandboxer's documented API. The skill provides a well-documented attack surface for spawning shells, sending commands, and reading/writing files.
LOW Skill enables arbitrary command execution by design -8 ▶
While the skill contains no executable code itself, its documented API enables spawning bash sessions and sending arbitrary commands. This is the skill's intended purpose and is transparently documented, but represents significant capability escalation for any agent with this skill installed.
INFO Clean installation with no suspicious activity -5 ▶
Installation monitoring detected only standard system activity: JIT cache writes, DNS resolution, GitHub HTTPS traffic for git clone, and Ubuntu system services. No unexpected processes, no firewall-blocked connections, no canary file access.