{"id":49569914,"url":"https://github.com/wan0net/sharkcage","last_synced_at":"2026-05-03T13:13:26.628Z","repository":{"id":347951307,"uuid":"1195029618","full_name":"wan0net/sharkcage","owner":"wan0net","description":"Trust layer and sandboxing for OpenClaw — per-skill kernel sandboxing, capability model, tool interceptors","archived":false,"fork":false,"pushed_at":"2026-03-30T08:28:54.000Z","size":506,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-03-30T08:32:04.266Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wan0net.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-29T05:45:51.000Z","updated_at":"2026-03-30T08:28:57.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/wan0net/sharkcage","commit_stats":null,"previous_names":["wan0net/sharkcage"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/wan0net/sharkcage","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Fsharkcage","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Fsharkcage/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Fsharkcage/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Fsharkcage/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wan0net","download_url":"https://codeload.github.com/wan0net/sharkcage/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wan0net%2Fsharkcage/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32569995,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-03T06:36:36.687Z","status":"ssl_error","status_checked_at":"2026-05-03T06:36:09.306Z","response_time":103,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-03T13:13:22.911Z","updated_at":"2026-05-03T13:13:26.618Z","avatar_url":"https://github.com/wan0net.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# sharkcage\n\nOpenClaw, but you trust it.\n\nSharkcage registers as OpenClaw's **sandbox backend**, wrapping every AI-directed tool call with `srt` (Anthropic Sandbox Runtime). Every bash command, file read/write, and skill execution is sandboxed using built-in OS kernel primitives. Capabilities approved once at install become the baseline policy, and later scope expansion is explicit and audited.\n\n\u003e **Development status:** Sharkcage is still under active development. The core security model, test coverage, and install path are in much better shape now, but releases can still change quickly and operational edges are still being tightened. Treat it as a serious early-stage project, not a fully settled platform.\n\u003e\n\u003e If you deploy it, prefer a disposable VM, low-privilege accounts, revocable tokens, and a setup you can rebuild quickly.\n\u003e\n\u003e **No new sandboxing tech.** Sharkcage uses the same battle-tested OS primitives that Flatpak, Snap, and Chrome have relied on for years: [bubblewrap](https://github.com/containers/bubblewrap) + seccomp on Linux, Seatbelt (sandbox-exec) on macOS. Wrapped by Anthropic's [srt](https://github.com/anthropic-experimental/sandbox-runtime). These are proven, kernel-enforced boundaries — not a custom sandbox or a JS shim.\n\u003e\n\u003e Built by an unprofessional security engineer who got tired of `--dangerously-skip-permissions`. Vibe coded with AI, hardened by a human who kept asking \"but what if...\" until the sandbox actually held up. Three automated security review passes, Trivy and Semgrep on every build, every finding discussed before fixing. The security model wasn't designed top-down — it was discovered bottom-up by trying things, watching them break, and deciding what actually matters.\n\u003e\n\u003e Ubuntu 24.04+ note: if AppArmor is still restricting unprivileged user namespaces, secure startup will fail closed even when `bubblewrap` and `srt` are installed. The installer checks for this and points to the exact sysctl fix in [INSTALL.md](INSTALL.md).\n\n## Security Model\n\n```\nOpenClaw + sharkcage plugin\n │\n ├── Per-tool ASRT sandboxing (sandbox backend)\n │ Every bash/exec/file tool call the AI makes:\n │ srt --settings \u003csession-policy\u003e /bin/sh -c \u003ccmd\u003e\n │ Kernel-enforced filesystem + network restrictions per command\n │\n ├── Per-skill ASRT sandboxing (supervisor)\n │ Each skill runs in its own srt sandbox:\n │ srt --settings \u003cskill-policy\u003e node \u003cskill\u003e\n │ Scoped to approved capabilities only\n │\n ├── Capability enforcement (before_tool_call hook)\n │ Unapproved skill? → native channel approval (AI cannot see it)\n │ Approved? → route to supervisor for sandboxed execution\n │\n ├── Localhost proxy (SOCKS5 on :18800)\n │ Per-skill tokens, blocks unapproved localhost access\n │\n └── Audit log\n Hash-chained local audit log, rotated and health-checked\n```\n\n- **Per-tool sandboxing** — the sandbox backend wraps every AI-directed command with `srt`. The AI's bash commands and file operations run inside per-session ASRT policies with restricted filesystem and network access. The gateway process itself runs unsandboxed — it only serves deterministic chat server code.\n- **Per-skill sandboxing** — each skill gets its own ASRT config derived from approved capabilities. Skills cannot reach each other's hosts or files.\n- **Approval flow** — uses OpenClaw's native `requireApproval` so the human sees approval prompts in their chat channel but the AI never does.\n- **Approve once, enforce always** — install-time approvals become the baseline policy, and later scope expansion is explicit, persisted, and audited. No per-action runtime nagging.\n- **Tamper-evident local audit trail** — tool and proxy events are written to a hash-chained local log with rotation and integrity checks.\n- **Fail closed on unsupported hosts** — startup runs a real sandbox smoke test, not just `srt --version`, and refuses to enter secure mode when the host cannot actually launch sandboxed workers.\n\n## Quick Start\n\n```bash\n# One-line install\ncurl -fsSL https://raw.githubusercontent.com/wan0net/sharkcage/main/install.sh | bash\n\n# Or install + configure a server setup non-interactively\nOPENROUTER_API_KEY=your-key-here \\\n curl -fsSL https://raw.githubusercontent.com/wan0net/sharkcage/main/install.sh | \\\n bash -s -- --configure --mode full --service-user openclaw\n\n# Then\nsc init # setup wizard (configures OpenClaw + sandbox mode)\nsc start # start everything\n```\n\nSee [INSTALL.md](INSTALL.md) for full installation instructions.\n\n## CLI\n\n```\nsc start Start supervisor + OpenClaw\nsc stop Stop everything\nsc init First-time setup wizard\nsc init --non-interactive ... Server/automation-friendly setup path\nsc status Show sandbox state, uptime, skill stats\n\nsc skill add \u003curl|path\u003e Install a skill\nsc skill list List installed skills\nsc skill remove \u003cname\u003e Remove a skill\nsc skill infer \u003cname\u003e Infer capabilities from skill source\nsc approve \u003cname\u003e Review and approve skill capabilities\n\nsc verify \u003cpath\u003e Scan a skill for issues\nsc sign \u003cpath\u003e Sign a skill with your key\n\nsc config show Show sharkcage config\nsc config add-service \u003chost\u003e Add a host to the allowed services\nsc config remove-service \u003chost\u003e Remove a host from allowed services\n\nsc audit Show recent audit log entries\nsc audit --skill \u003cname\u003e Filter by skill\nsc audit --blocked Show only blocked calls\nsc audit --tool \u003cname\u003e Filter by tool name\nsc audit --tail \u003cn\u003e Show last N entries\n\nsc user copy-in \u003cpath\u003e [--mode] Copy files into dedicated user's home\nsc user shell Open shell as the dedicated user\nsc user home Print dedicated user home directory\nsc user info Show dedicated user details\n\nsc trust \u003cfingerprint\u003e Trust a skill signer\nsc upgrade Safely upgrade OpenClaw with rollback\n```\n\n## Capability Model\n\nCapabilities are approved once at install and enforced at the kernel level from then on. No runtime prompts. No fatigue. No `--dangerously-skip-permissions`.\n\nWhen you install a skill, sharkcage:\n\n1. Downloads it\n2. Scans for dangerous patterns and missing fields\n3. Generates a capability manifest (via static analysis if the skill has none)\n4. Shows requested capabilities with risk levels\n5. Asks you to approve\n\nAfter approval, the skill runs in its own ASRT sandbox scoped to exactly what was approved. If it tries to reach a host outside its scope, the kernel blocks it silently and logs the attempt.\n\n## Platform Support\n\n| Platform | Sandbox | How |\n|----------|---------|-----|\n| macOS | Seatbelt (sandbox-exec) | Native via `srt` |\n| Linux | bubblewrap + seccomp | Native via `srt` |\n| Windows | bubblewrap + seccomp | Via WSL2 — run OpenClaw inside WSL2 |\n\n`srt` (Anthropic Sandbox Runtime) provides kernel-level enforcement on all three. On Windows, WSL2 gives you a real Linux kernel, so the same bubblewrap+seccomp sandbox works identically.\n\n## How This Was Built\n\nYes, this was vibe coded. An AI wrote most of the implementation while a human who understands security kept asking \"but what if...\" until the answers were honest. Multiple automated security review passes, Trivy and Semgrep on every build, every finding discussed before fixing — some were real vulnerabilities, some were the sandbox already doing its job, and knowing the difference mattered more than fixing everything blindly.\n\nThe security model wasn't designed top-down. It was discovered bottom-up by trying things, watching them break, understanding why, and deciding what actually matters. The original design had a full outer sandbox wrapping the entire OpenClaw binary. In practice it broke inbound connections, IPC, and FD inheritance. The per-tool model was already doing the real work. That's not a bug in the process — that's how you find out what works.\n\n## Documentation\n\n- [INSTALL.md](INSTALL.md) — Installation and setup\n- [docs/unified-platform.md](docs/unified-platform.md) — Full design doc: architecture, capability model, sandbox enforcement, security model\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwan0net%2Fsharkcage","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwan0net%2Fsharkcage","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwan0net%2Fsharkcage/lists"}