Generates Docker sandbox configurations with hardened security flags for running untrusted OpenClaw skills. You pick a profile (minimal read-only, standard read-write, or network-enabled) based on the skill's permissions, and it spits out a Dockerfile and docker run command with all the isolation bits: capability dropping, resource limits, no-new-privileges, network restrictions. The profiles are pre-baked patterns so you don't have to remember which flags actually matter. Useful when you want to try a third-party skill without manually auditing it first or hoping your container runtime defaults are enough. Ships with sane rules like never mounting the Docker socket and always running as non-root.
npx skills add https://github.com/useai-pro/openclaw-skills-security --skill sandbox-guard