تشغيل أي مهارة في Manus بنقرة واحدة

docker-sandbox

النجوم٢

التفرعات٠

آخر تحديث٩ أبريل ٢٠٢٦ في ٢٠:٥٤

Docker Sandboxes (sbx CLI) — run AI coding agents in isolated microVM environments with credential proxying, network policy enforcement, and custom templates. Covers Claude Code, Codex, Copilot, and Gemini agents. Compatible with Rancher Desktop (Docker Desktop not required). Use this skill when users need to: (1) Install, configure, or authenticate with the sbx CLI (2) Create, run, stop, or remove sandboxed agent sessions (3) Configure credentials, secrets, or API keys for sandboxed agents (4) Understand the security model (microVM, proxy, network policies) (5) Build custom sandbox templates or customize environments (6) Troubleshoot sandbox issues (clock drift, port forwarding, connectivity) (7) Use branch mode, multi-workspace, or reconnection workflows (8) Set up specific agents (Claude Code, Codex, Copilot, Gemini) in sandboxes (9) Use 1Password CLI (op) for zero-disk-footprint secret injection

التثبيت

التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.

تشغيل في Manus

المصدر

swannysec

swannysec/robot-tools

فتح مستودع GitHub عرض مستودعات المنشئ

تنزيل

تشغيل في Manus

المهن ذات الصلةSOC

استنادا إلى تصنيف SOC المهني

مديرو الشبكات وأنظمة الحاسوبمهن الحاسوب والرياضيات·SOC 15-1244

مستكشف الملفات

7 ملفات

SKILL.md

readonly

المزيد من هذا المستودع

نفس المستودع

security-vuln-analyzer

swannysec/robot-tools

Multi-agent security vulnerability analysis with adversarial verification and ICD 203 analytic standards. Orchestrates 5 parallel finder agents, cross-model adversarial verification (Claude + Codex), and deterministic validation to analyze vulnerability reports with CWE-specific procedures, confirmation bias mitigation, and structured evidence quality assessment. Includes a `--develop-fix` mode (Rust-first v1) that, after confirming a concrete target, authors validated regression tests + a minimum fix on a branch and emits a human-gated **candidate patch** — it never confirms its own fix; the mandatory `--verify-fix` gate and a human merge do. Use when receiving vulnerability reports, security disclosures, or bug bounty submissions, when assessing security issues, or when authoring a candidate fix for a confirmed finding.

2026-06-242

vercel-forensics

swannysec/robot-tools

Preservation-first forensic evidence collection and analysis for Vercel security incidents (OAuth supply-chain compromise, env-var exposure, audit-log triage). Produces a frozen evidence directory, an 8-section findings report, and a rotation-worklist CSV for downstream rotation tooling. Strictly read-only. Never rotates, revokes, deletes, or redeploys. The banned-ops list is absolute. Rotation is handed off to subinium/vercel-incident-toolkit Flow C or codyhxyz/metapod-harden `/rotate-vercel-env <KEY>` using this skill's CSV as input. Use this skill when: (1) Vercel publishes a security incident and you need to assess exposure across your team / account / linked GitHub org. (2) A customer suspects env-var exposure and wants an evidence bundle plus prioritized rotation worklist by lunch Monday. (3) Audit-log triage across Vercel activity + GitHub audit log is needed without contaminating the very log under investigation. (4) Forensic handoff to a rotation tool is required — this skill produces

2026-04-202

vanta

swannysec/robot-tools

Vanta compliance platform operations — posture analysis, audit readiness, vulnerability management, personnel compliance, and flexible reporting. Complements the official vanta-mcp-plugin with analysis workflows, direct API access for write operations, and reporting capabilities not available in the Vanta UI. 50% compliance analysis/reporting, 30% API operations, 20% workflow orchestration. Use this skill when users need to: (1) Assess compliance posture across frameworks (gap analysis, control coverage, cross-framework overlap) (2) Prepare for audits (readiness checklist, missing evidence, policy expiry, personnel compliance) (3) Track and triage vulnerabilities with SLA awareness (approaching deadlines, missed SLAs, severity breakdown) (4) Monitor personnel compliance (overdue training, policy acceptance, deactivated personnel in scope) (5) Generate compliance reports and executive summaries (posture, readiness, vulnerability SLA, personnel, custom) (6) Perform bulk low-risk operations

2026-04-162

anti-laziness-guard

swannysec/robot-tools

Three-layer Stop hook that detects and blocks work-skipping rationalizations by Claude Code agents. Prevents agents from unilaterally deciding to skip assigned work, bypass mandatory processes, or cite unverified context constraints as justification for shortcuts. Layer 1: Deterministic regex detection of known laziness phrases (Tiers 1-2) Layer 2: Haiku-evaluated internal contradiction detection (Tier 4) Layer 3: Context-aware agent verification — auto-activates when plans/tasks exist (Tier 5) This is a passive hook — it activates automatically when the plugin is enabled. No slash command needed. The hook fires on every Stop event and only blocks when laziness patterns are detected.

2026-04-152

impact-flow

swannysec/robot-tools

Codebase flow analysis for dependency visualization, impact assessment, and health scoring. Use PROACTIVELY when users need: (1) Dependency/import analysis ("what imports this?", "dependency graph", "module relationships") (2) Blast radius/impact analysis ("if I change X", "what's affected", "impact of modifying") (3) Code health scoring ("codebase health", "health grade", "technical debt score") (4) Execution flow tracing ("trace through", "call path", "how does data flow") (5) Dead code detection ("unused exports", "safe to delete", "orphan code") (6) Comprehensive analysis ("full analysis", "analyze this codebase") NOTE: For security scanning, defer to security-sentinel. For design patterns, defer to pattern-recognition-specialist. For architecture compliance, defer to architecture-strategist.

2026-04-022

ai-dev-research

swannysec/robot-tools

World-expert deep technical research agent for AI-enabled software development. Use PROACTIVELY when users need: (1) Deep research on AI/ML development topics (RAG, agents, LLMs, embeddings, vector DBs, prompt engineering, fine-tuning) (2) Technical consultation on AI architectures, tool selection, or implementation approaches (3) Implementation guidance with production-ready patterns and best practices (4) Comparative analysis of AI frameworks, models, or services (5) Current state-of-the-art analysis with authoritative citations

2026-04-022

name	docker-sandbox
description	Docker Sandboxes (sbx CLI) — run AI coding agents in isolated microVM environments with credential proxying, network policy enforcement, and custom templates. Covers Claude Code, Codex, Copilot, and Gemini agents. Compatible with Rancher Desktop (Docker Desktop not required). Use this skill when users need to: (1) Install, configure, or authenticate with the sbx CLI (2) Create, run, stop, or remove sandboxed agent sessions (3) Configure credentials, secrets, or API keys for sandboxed agents (4) Understand the security model (microVM, proxy, network policies) (5) Build custom sandbox templates or customize environments (6) Troubleshoot sandbox issues (clock drift, port forwarding, connectivity) (7) Use branch mode, multi-workspace, or reconnection workflows (8) Set up specific agents (Claude Code, Codex, Copilot, Gemini) in sandboxes (9) Use 1Password CLI (op) for zero-disk-footprint secret injection
triggers	["docker sandbox","docker sandboxes","sbx","sbx cli","sbx run","sbx create","sandbox agent","sandbox microvm","sandbox template","sbx login","sbx secret","sbx policy","sbx branch","sandbox credential","sandbox security","sandbox isolation","custom sandbox template","sbx save","sandbox port forwarding","sandbox troubleshooting","rancher desktop sandbox","sandbox clock drift","1password sandbox","op cli sandbox"]

Docker Sandboxes (sbx CLI)

Run AI coding agents in isolated microVM environments with their own Docker daemon, filesystem, and network stack.

Docs: https://docs.docker.com/ai/sandboxes/ Install: brew install docker/tap/sbx (macOS)

Help — Topic Navigator

Use this table to find the right reference file. Read the reference only when needed for the user's specific question.

Topic	Reference	Consult when...
CLI commands & flags	references/cli-reference.md	User needs exact flag syntax, all options for a subcommand, or uncommon commands
Security & isolation	references/security-deep-dive.md	User asks about isolation layers, network policies, residual risks, or threat model
Credentials & secrets	references/credential-management.md	User needs to set up API keys, troubleshoot auth, use 1Password `op` CLI, or configure custom env vars
Custom environments	references/custom-environments.md	User wants to build templates, customize images, or use `sbx save`
Agent-specific setup	references/agent-setup.md	User needs per-agent auth details, config quirks, or agent comparison
Troubleshooting	references/troubleshooting.md	User hits errors, clock drift, port issues, connectivity problems, or needs diagnostics

Quick Start

1. Install

brew install docker/tap/sbx   # macOS (Docker Desktop NOT required)

Windows: winget install -h Docker.sbx Linux (Ubuntu 22.04+): requires KVM — see official docs.

2. Authenticate

sbx login

You will be prompted to select a default network policy:

Policy	Behavior
Open	All outbound traffic allowed
Balanced	Deny-by-default + common dev sites allowed (recommended)
Locked Down	All traffic blocked unless explicitly allowed

3. Store agent credentials

sbx secret set -g anthropic           # prompts for Anthropic API key
sbx secret set -g openai              # prompts for OpenAI API key
sbx secret set -g github -t "$(gh auth token)"  # GitHub token
sbx secret set -g google              # prompts for Google API key

Secrets are stored in the host OS keychain. The proxy injects auth headers into outbound API requests — raw credential values never enter the sandbox.

4. Run your first sandbox

cd ~/my-project
sbx run claude                         # creates + attaches in one step

First run downloads the sandbox image (slow); subsequent runs are cached. Verify: sbx ls

Essential Workflows

Run, stop, reconnect

sbx run claude ~/project               # create + attach
sbx run claude --name my-sandbox       # explicit naming
sbx stop my-sandbox                    # pause (state preserved)
sbx run my-sandbox                     # reconnect to existing
sbx rm my-sandbox                      # permanent delete

Branch mode (isolated git)

sbx run claude --branch my-feature     # creates git worktree under .sbx/
sbx run claude --branch auto           # auto-generated branch name

Worktrees live under .sbx/ — add to .gitignore. Uncommitted changes in your main tree are NOT visible in worktrees. sbx rm deletes all worktrees for that sandbox.

Multi-workspace mounting

sbx run claude ~/project-a ~/shared-libs:ro ~/docs:ro

First path is primary workspace. Additional paths mount at their host absolute paths. Append :ro for read-only.

Execute commands inside a sandbox

sbx exec -it my-sandbox bash           # interactive shell
sbx exec -d my-sandbox npm start       # background command

Port forwarding (post-hoc only)

sbx ports my-sandbox --publish 8080:3000   # host:8080 → sandbox:3000
sbx ports my-sandbox                        # list all mappings
sbx ports my-sandbox --unpublish 8080:3000  # remove mapping

Services inside the sandbox must bind to 0.0.0.0 (not 127.0.0.1). Port mappings are lost on sandbox stop.

List and manage

sbx ls                                 # table with agent, status, ports, workspace
sbx ls --json                          # JSON output
sbx                                    # interactive TUI dashboard

For full flag details on every subcommand, read references/cli-reference.md. This is mandatory when the user needs exact syntax or uncommon options.

Security Model Overview

Docker Sandboxes isolate agents in microVMs with 4 security layers:

Layer	Isolation
Hypervisor	Separate Linux kernel per sandbox; processes invisible to host
Network proxy	All HTTP/HTTPS through host proxy; no raw TCP/UDP/ICMP; DNS via proxy
Docker Engine	Isolated daemon per sandbox; no access to host Docker
Credentials	Proxy injects auth headers; raw keys never enter VM

Key principle: The hypervisor boundary is the security control, not in-VM privilege separation. Agents have sudo inside the sandbox by design.

Critical gotchas

Workspace is the primary residual risk — agents can modify git hooks, CI configs, IDE tasks, and build scripts within the mounted workspace
Git hooks are invisible to git diff — check .git/hooks/ manually after each session
Branch mode is NOT a security boundary — documented as convenience only
Deny always beats allow in network policies, regardless of specificity
~/.claude is NOT mounted — only project-level config is available

For the full isolation architecture, policy syntax, residual risks, and security checklist, read references/security-deep-dive.md. This is mandatory when the user asks about threat model or policy configuration.

Credential Quick Reference

Provider	Secret Name	Env Var(s)	Auth Method
Anthropic	`anthropic`	`ANTHROPIC_API_KEY`	API key or OAuth
OpenAI	`openai`	`OPENAI_API_KEY`	API key (required)
GitHub	`github`	`GH_TOKEN`, `GITHUB_TOKEN`	Token
Google	`google`	`GEMINI_API_KEY`, `GOOGLE_API_KEY`	API key or interactive sign-in
AWS	`aws`	`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`	Key pair

Scoping: sbx secret set -g <provider> (global, all sandboxes) vs sbx secret set <sandbox> <provider> (per-sandbox).

Key gotchas

Global secrets only take effect at sandbox creation — recreate sandbox after changing a global secret
sbx reset destroys all secrets (use --preserve-secrets to keep them)
For arbitrary env vars not covered by sbx secret, write to /etc/sandbox-persistent.sh inside the sandbox

1Password CLI (`op`) quick pattern

Keep secrets off disk entirely using op read command substitution:

sbx secret set -g anthropic -t "$(op read -n op://Vault/Anthropic/api-key)"
sbx secret set -g openai -t "$(op read -n op://Vault/OpenAI/api-key)"
sbx secret set -g github -t "$(op read -n op://Vault/GitHub/token)"

For full auth flows, OAuth vs API key details, custom env vars, and complete 1Password op CLI integration patterns, read references/credential-management.md. This is mandatory when the user needs to troubleshoot auth or set up op workflows.

Policy Quick Reference

Three policy templates available at sbx login or via sbx policy set-default:

Template	Value	Behavior
Open	`allow-all`	All outbound allowed
Balanced	`balanced`	Deny-default + common dev sites
Locked Down	`deny-all`	All blocked; must explicitly allow

Common operations

sbx policy ls                                   # list active rules
sbx policy allow network registry.npmjs.org     # allow a host
sbx policy allow network "*.pypi.org,files.pythonhosted.org"  # wildcards
sbx policy deny network evil.example.com        # deny a host
sbx policy log                                  # view allowed/blocked requests
sbx policy reset                                # wipe all rules, re-prompt

Wildcard rules: example.com does NOT match subdomains; *.example.com does NOT match the root domain. Specify both if needed.

Deny always wins — if a domain matches both allow and deny rules, deny takes precedence regardless of specificity.

Custom Environments Quick Reference

sbx run shell ~/project                         # bare shell, no agent
sbx run claude --template docker.io/org/img:v1  # custom template
sbx save my-sandbox myimage:v1.0                # snapshot current state

Templates use custom Dockerfiles extending base images like docker/sandbox-templates:claude-code. Default images include a Docker daemon inside the sandbox (-docker suffix variants).

For Dockerfile patterns, base image variants, memory config, and the full build+push+run workflow, read references/custom-environments.md. This is mandatory when the user wants to create custom templates.

Agent Setup Quick Reference

Agent	Command	Credential	Notes
Claude Code	`sbx run claude`	`anthropic` or OAuth	Runs with `--dangerously-skip-permissions`
Codex	`sbx run codex`	`openai` (required)	No OAuth fallback
Copilot	`sbx run copilot`	`github`	Pipe `gh auth token`
Gemini	`sbx run gemini`	`google` or interactive	Sign-in is sandbox-scoped

All agents: user-level config (~/.claude, ~/.codex, etc.) is NOT mounted. Only project-level config in the workspace is available.

For per-agent auth details, configuration quirks, and comparison, read references/agent-setup.md. This is mandatory when the user needs agent-specific guidance.

CLI Quick Reference

Command	Purpose	Key Flags
`sbx run`	Create + attach	`--branch`, `-m <SIZE>`, `--name`, `-t`
`sbx create`	Create (background)	`--branch`, `-m`, `--name`, `-t`, `-q`
`sbx exec`	Run command inside	`-it`, `-d`, `-e`, `-u`, `-w`
`sbx ls`	List sandboxes	`--json`, `-q`
`sbx stop`	Pause (state preserved)	—
`sbx rm`	Permanent delete	`--all`, `-f`
`sbx reset`	Nuclear reset	`--preserve-secrets`, `-f`
`sbx save`	Snapshot to host Docker	`-o` (tar output instead)
`sbx ports`	Port forwarding	`--publish`, `--unpublish`, `--json`
`sbx policy`	Network policy mgmt	`allow`, `deny`, `log`, `ls`, `reset`, `rm`
`sbx secret`	Credential mgmt	`set`, `ls`, `rm`, `-g`, `-t`
`sbx login`	Authenticate	—

For complete flag reference, usage examples, and behavioral notes for every subcommand, read references/cli-reference.md.

Project Documentation

When helping a user set up Docker Sandboxes for a project, document the configuration in the project itself. Create or update a project-level doc (e.g., docs/sandbox-setup.md or a section in the project's CONTRIBUTING.md) covering:

Which agent and template the project uses (sbx run claude, custom template, memory/docker-size overrides)
Credential management — full usage instructions for setting up secrets:
- List every provider the project needs (e.g., anthropic, github) and whether each should be global (-g) or per-sandbox scoped
- With 1Password (op): provide exact op:// reference paths and the corresponding sbx secret set commands:
```
sbx secret set -g anthropic -t "$(op read -n 'op://Vault/Anthropic/credential')"
sbx secret set my-sandbox github -t "$(op read -n 'op://Vault/GitHub/narrow-token')"
```
- Without 1Password: provide the interactive commands and note which tokens/keys are needed (without including actual values):
```
sbx secret set -g anthropic       # paste your Anthropic API key when prompted
sbx secret set -g github -t "$(gh auth token)"
```
- Document any per-sandbox overrides (e.g., a narrower-scoped GitHub token for a specific project) and the change workflow: stop → set → restart
- Note the creation-time gotcha: global secrets require sandbox recreation, not just restart
- If the project warrants it, include a bulk setup script (sbx-secrets-setup.sh) that contributors can run in one command
Network policy — any hosts that must be explicitly allowed beyond the default policy (e.g., private registries, internal APIs)
Port forwarding — any services the sandbox exposes and their expected mappings
Branch mode convention — whether the project uses --branch and what .gitignore entries are needed (.sbx/)
Post-session checklist — remind contributors to check .git/hooks/, git diff, and CI config changes after each sandbox session

This documentation ensures any team member (or future Claude instance) can reproduce the sandbox environment without tribal knowledge.

Rancher Desktop Compatibility

Docker Desktop is not required. The sbx CLI works standalone — install via brew install docker/tap/sbx. The docker sandbox subcommand (Docker Desktop only) is a separate, more limited interface not covered by this skill.

If using Rancher Desktop, the sbx CLI operates independently of your container runtime. The sandbox's internal Docker daemon is isolated and does not interact with your host Docker/containerd.

docker-sandbox

المزيد من هذا المستودع

Docker Sandboxes (sbx CLI)

Help — Topic Navigator

Quick Start

1. Install

2. Authenticate

3. Store agent credentials

4. Run your first sandbox

Essential Workflows

Run, stop, reconnect

Branch mode (isolated git)

Multi-workspace mounting

Execute commands inside a sandbox

Port forwarding (post-hoc only)

List and manage

Security Model Overview

Critical gotchas

Credential Quick Reference

Key gotchas

1Password CLI (op) quick pattern

Policy Quick Reference

Common operations

Custom Environments Quick Reference

Agent Setup Quick Reference

CLI Quick Reference

Project Documentation

Rancher Desktop Compatibility

Docker Sandboxes (sbx CLI)

Help — Topic Navigator

Quick Start

1. Install

2. Authenticate

3. Store agent credentials

4. Run your first sandbox

Essential Workflows

Run, stop, reconnect

Branch mode (isolated git)

Multi-workspace mounting

Execute commands inside a sandbox

Port forwarding (post-hoc only)

List and manage

Security Model Overview

Critical gotchas

Credential Quick Reference

Key gotchas

1Password CLI (op) quick pattern

Policy Quick Reference

Common operations

Custom Environments Quick Reference

Agent Setup Quick Reference

CLI Quick Reference

Project Documentation

Rancher Desktop Compatibility

المزيد من هذا المستودع

1Password CLI (`op`) quick pattern

1Password CLI (`op`) quick pattern