← All tools

docker-sandbox

SKILL

Create and manage Docker sandboxed VM environments for safe agent execution. Use when running untrusted code, exploring packages, or isolating agent workloads. Supports Claude, Codex, Copilot, Gemini, and Kiro agents with network proxy controls.

v1.0.0 Tested 8 Feb 2026
1.7
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 3.0
Reliability 0.0
Agent usability 3.0
Compatibility 0.0
Code health 2.0

Compatibility

Framework Status Notes
Claude Code Not an MCP server - this is a Docker Desktop CLI skill wrapper, No MCP protocol implementation found, No stdio transport implementation, No tools/list endpoint, Documentation describes Docker CLI commands, not MCP tools
OpenAI Agents SDK Not an MCP server - this is a Docker Desktop CLI skill wrapper, No MCP protocol implementation, No SSE transport support, No tool schemas in OpenAI function calling format, Would require complete MCP server wrapper to be written
LangChain Not an MCP server - this is a Docker Desktop CLI skill wrapper, No MCP protocol implementation, No tool definitions to wrap as StructuredTools, Documentation only describes shell commands, not programmatic API, Would require building MCP server from scratch

Security findings

CRITICAL

Arbitrary command execution without input validation

The skill directly passes user input to Docker commands (docker sandbox exec, docker sandbox run) without any sanitization. An attacker could inject shell metacharacters through sandbox names, workspace paths, or command arguments to execute arbitrary commands on the host system. Example: 'docker sandbox exec my-sandbox $(malicious-command)' or workspace path '../../../etc/passwd'.

CRITICAL

Path traversal vulnerability in workspace mounting

The workspace path parameter is passed directly to Docker without validation. An attacker could use '../' sequences to mount sensitive host directories (e.g., '../../.ssh', '/etc', '/root') into the sandbox, potentially exposing credentials, system files, or allowing privilege escalation.

CRITICAL

Docker socket exposure enables container escape

Documentation states 'Docker socket (at /run/docker.sock - Docker-in-Docker capable)'. This gives sandboxed code direct access to the Docker daemon, allowing it to create privileged containers, mount host filesystems, and escape the sandbox entirely. This defeats the entire purpose of sandboxing.

HIGH

No authentication or authorization mechanism

The skill provides no access controls. Any caller can create sandboxes, execute arbitrary commands, modify network policies, or destroy existing sandboxes. There's no concept of ownership or permission checking between different users or agents.

HIGH

Network proxy bypass allows unrestricted internet access

The '--bypass-host' option allows callers to completely bypass network restrictions for any host. Combined with the default 'allow' policy, untrusted code can easily exfiltrate data or communicate with command-and-control servers.

HIGH

Environment variable injection risk

The '-e KEY=VAL' flag in docker sandbox exec accepts arbitrary environment variables without validation. Attackers could set LD_PRELOAD, PATH, or other security-sensitive variables to hijack execution or load malicious libraries.

MEDIUM

No resource limits specified

MEDIUM

Sandbox names not validated

MEDIUM

No timeout mechanism for long-running commands

Reliability

Success rate

0%

Calls made

100

0 0

Failure modes

  • No executable code provided - only documentation
  • No MCP server implementation found
  • No error handling present - no code to analyze
  • No parameter validation - no code to analyze
  • No resource management - no code to analyze
  • Cannot make any calls - tool has no implementation
  • Would fail 100% of requests as there is no server to handle them

Code health

License

none

Has tests

No

Has CI

No

Dependencies

0

This is a skill/documentation-only package with no actual source code. It's a wrapper around Docker Desktop's sandbox feature, not a standalone tool. The repository contains only metadata (_meta.json) and documentation (SKILL.md). No code to maintain, test, or analyze. No dependencies, no license, no CI/CD. The 'source repository' appears to be part of a skills marketplace (clawdbot/skills) but we only have access to this specific skill's files, not the broader repository context. Cannot assess maintenance activity, contributor count, or issue tracking without access to the parent repository. The documentation is comprehensive and well-structured, but this is fundamentally just a guide for using an existing Docker feature, not a code health evaluation candidate.

View source on GitHub →