Security sandbox
SkillFlaw uses a sandbox runtime for code-execution scenarios that should not run directly inside the backend process.
In local development, the sandbox is relevant in two main developer-facing paths:
- Skill runtime execution
- MCP stdio sandbox execution
For both paths, treat the sandbox as part of the runtime contract of your development environment.
Why the sandbox matters
SkillFlaw can run user-authored logic, resolve dependencies, create temporary runtime workspaces, and exchange files with runtime environments.
That means local development should not assume unrestricted execution inside the main SkillFlaw server process. Instead, you should validate sandbox connectivity, runtime images, and resource limits explicitly.
Skill sandbox
Skill execution uses the Skill sandbox service and defaults to the opensandbox backend.
At minimum, local development must align these connection settings with the real OpenSandbox service that the backend can reach:
_10SKILLFLAW_SKILL_SANDBOX_OPENSANDBOX_DOMAIN=localhost:8080_10SKILLFLAW_SKILL_SANDBOX_OPENSANDBOX_PROTOCOL=http_10SKILLFLAW_SKILL_SANDBOX_OPENSANDBOX_API_KEY=_10SKILLFLAW_SKILL_SANDBOX_OPENSANDBOX_USE_SERVER_PROXY=false_10SKILLFLAW_SKILL_SANDBOX_OPENSANDBOX_REQUEST_TIMEOUT_SECONDS=600
If you test dependency installation, exported files, or longer-running scripts, make the runtime limits explicit as well:
_10SKILLFLAW_SKILL_SANDBOX_CPUS=1.0_10SKILLFLAW_SKILL_SANDBOX_MEMORY_MB=512_10SKILLFLAW_SKILL_SANDBOX_PIDS_LIMIT=256_10SKILLFLAW_SKILL_SANDBOX_TIMEOUT_SECONDS=60_10SKILLFLAW_SKILL_SANDBOX_NETWORK=none_10SKILLFLAW_SKILL_SANDBOX_READ_ONLY_ROOT=true_10SKILLFLAW_SKILL_SANDBOX_TMPFS_ENABLED=true_10SKILLFLAW_SKILL_SANDBOX_WORKSPACE_ACCESS=rw_10SKILLFLAW_SKILL_SANDBOX_ENV_ALLOWLIST=[]
Use values that match your local verification target. For example, if a Skill must call an external service during debugging, do not assume network access exists by default; configure the sandbox network mode deliberately.
MCP sandbox
MCP stdio sandbox execution reuses the OpenSandbox connection settings from the Skill sandbox, so the local backend must reach the same OpenSandbox service.
In addition, MCP needs its own sandbox image settings because the runtime image is selected by server language.
You can configure MCP sandbox images in one of these ways:
- a shared image with
SKILLFLAW_MCP_SANDBOX_IMAGE - per-language images such as
SKILLFLAW_MCP_SANDBOX_PYTHON_IMAGEandSKILLFLAW_MCP_SANDBOX_TYPESCRIPT_IMAGE - image repository/tag pairs such as
SKILLFLAW_MCP_SANDBOX_PYTHON_IMAGE_REPOSITORYwithSKILLFLAW_MCP_SANDBOX_PYTHON_IMAGE_TAG
Example:
_10SKILLFLAW_MCP_SANDBOX_BASE_DIR=~/.skillflaw/mcp-sandboxes_10SKILLFLAW_MCP_SANDBOX_PYTHON_IMAGE=ghcr.io/cwinux/skillflow_mcp_python:v1.0.1_10SKILLFLAW_MCP_SANDBOX_TYPESCRIPT_IMAGE=ghcr.io/cwinux/skillflow_mcp_ts:v1.0.1
The MCP sandbox image value must be a Docker image reference, not an HTTP URL.
Sandbox configuration requirements
Before testing Skill or MCP behavior locally, confirm all of the following:
- OpenSandbox is deployed and reachable from the SkillFlaw backend.
- The OpenSandbox domain, protocol, and API key in
.envmatch the real service. - The sandbox image matches the runtime language you are testing.
- CPU, memory, process-count, timeout, filesystem, and network limits match your verification scope.
- Any environment variables that must enter the Skill sandbox are declared explicitly in
SKILLFLAW_SKILL_SANDBOX_ENV_ALLOWLIST. - If you change the sandbox image, image repository/tag settings, or OpenSandbox
execd_image, restart the sandbox service before re-testing.
Recommended local validation flow
When sandbox-based capabilities are part of your development scope, use this order:
- Start or confirm the OpenSandbox service.
- Fill in sandbox-related
.envsettings before startingmake backend. - Verify the target runtime image exists for the language you want to test.
- Run Skill or MCP validation only after backend-to-sandbox connectivity is confirmed.
- Re-test after every sandbox image or runtime configuration change.