con un clic
silk-sandbox
Use when generated code must be executed without contaminating the host.
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Menú
Use when generated code must be executed without contaminating the host.
Instalar con Codex o Claude Copia este prompt, pégalo en Codex, Claude u otro asistente, y deja que revise la página de la skill y la instale por ti.
Basado en la clasificación ocupacional SOC
Versioning, changelogs, releases, migration notes, compatibility, deprecations, and adapter sync.
Use when routing across the full 187SKILLS suite or the NATASHA multi-agent integration stack (THREAD, COMPRESS, TENSION, SPARK, CORD, SCOUT, LAB, FUSE).
Use for EVM-first smart-contract assurance, DeFi economic risk analysis, severity/confidence separation, and responsible disclosure (no live keys or exploits).
Use for quantum algorithm selection, circuit design, optimization, resource estimation, and claim-disciplined audits (no unsupported advantage claims).
Use when generating a new repository, deploying to GitHub, creating an installer site, or routing the 187SKILLS suite.
Use when adding delight, micro-interactions, onboarding, community, or retention to a 187WEB project.
| name | silk-sandbox |
| description | Use when generated code must be executed without contaminating the host. |
| origin | portfolio |
Suite: The 187web Ecosystem v2. Parent index:
187web-ecosystem · Siblings:
widow-weaver · neuro-tension · swarm-mind · natasha-scout
silk-sandbox is the NATASHA stack's execution layer. It takes code spun by
swarm-mind — or any fenced block in Obsidian — and
runs it inside a hardened, disposable sandbox. Every byte is wrapped in silk:
isolated from the host, watched at the syscall layer, and piped back live.
Load this skill when a markdown code block or agent-generated artifact must be
compiled, tested, or demonstrated inside a controlled environment. If the code
came from an LLM, the web, or any untrusted source, it goes through
silk-sandbox first — never the host shell.
What it enforces. Generated code executes only inside Firecracker microVMs or gVisor sandboxes. The host filesystem, kernel, and network namespace remain untouched. The sandbox is born for one run and destroyed afterward.
Implementation guidance.
runsc) when Docker compatibility is required./workspace or outside the allow-listed sandbox store.What it enforces. All kernel surface area from the sandbox is inspected and
filtered. Unauthorized network sockets, filesystem reads outside /workspace,
and privilege-escalation attempts are blocked and logged.
Implementation guidance.
tracepoint/syscalls for socket, connect,
openat, execve, setuid, capset, and mount.network: allow and the runtime owner approves it./workspace/**, /tmp, standard runtime libraries, and
nothing else. Deny reads to /etc/passwd, /proc/*/environ, host devices,
and kernel pseudo-filesystems.What it enforces. stdout and stderr are captured in real time and streamed back to the Obsidian UI through WebSockets. The developer watches compile, execute, and fail inline, beneath the code block that spawned it.
Implementation guidance.
Run a per-session WebSocket broker inside Claudian. The broker accepts one stream per sandbox VM and forwards lines to the active Obsidian pane.
Multiplex stdout and stderr on separate channels, preserving order with millisecond timestamps. Display stderr in Widow Red callouts.
Buffer the last 4 KB of output server-side so late-joining panes can hydrate the stream. Flush on every newline for interactivity.
Append final output as a collapsible blockquote under the originating code fence:
> [!quote] silk-sandbox output
> stdout lines...
> stderr lines...
On non-zero exit or forced termination, render > [!danger] and route the
artifact to Code_Explainer.
swarm-mind emits a fenced code block in
Obsidian, or a user clicks the inline ▶ Run in silk-sandbox button.network: deny.widow-weaver for
diagnosis.Never execute untrusted code without isolation. silk-sandbox is a containment
layer, not a proof of invulnerability. A compromised runtime, misconfigured
seccomp profile, or zero-day in the microVM hypervisor can still breach the
boundary. Review generated code before allowing network access, keep the
sandbox images minimal, and rotate audit logs.
This skill defines execution policy and isolation rules. No runtime code or backend configuration lives here; implementation belongs to the Claudian host service and its Firecracker / gVisor drivers.
Profiles: lab:text · lab:python · lab:node · lab:repo · lab:web ·
lab:quantum · lab:evm.
Network policy default deny-egress except declared allowlist. Emit run records (input hash, tools, exit code, artifacts). No live production exploits.