[Feature]: Sandbox mode needs a functional default image, as well as the secure empty one

[alexgalbraith]

Summary

The default sandbox image (openclaw-sandbox:bookworm-slim) is too minimal for common agent operations. When running cron jobs or isolated sessions in sandbox mode, agents frequently need tools like curl, jq, and custom CLIs (e.g., gog for Google Workspace), but these aren't available. This forces users to either:

1. Run tasks on the host (defeating the purpose of sandboxing)
2. Build custom Docker images (requires Docker expertise)
3. Use setupCommand to install tools at runtime (requires network access, slows container startup)
   The current documentation acknowledges this ("the default image does not include Node") but the gap between "secure sandbox mode" and "actually usable sandbox" is significant for common use cases like fetching RSS feeds, calling APIs, or running skill CLIs.

Proposed solution

Provide a "batteries included" sandbox image option, either:

1. A second official image (e.g., openclaw-sandbox:full) pre-built with common tools: curl, wget, jq, git, node, python3, and a mechanism to inject skill CLIs
2. A build script flag for sandbox-setup.sh (e.g., --full) that includes these tools
3. Auto-install of skill CLIs into the sandbox image when skills are registered, similar to how autoAllowSkills works for exec approvals
   Additionally, consider a sandbox.docker.env example in the docs showing how to pass API keys (e.g., weather API, etc.) into the container.

Alternatives considered

• setupCommand approach: Works but requires docker.network enabled and readOnlyRoot: false, which weakens sandbox security. Also adds startup latency.
• Custom Dockerfile: Requires users to maintain their own image, diverging from upstream updates.
• Run on host: The current workaround, but defeats the security benefits of sandboxing.
Additional context

Real-world example: A morning brief cron job needs to:

• Fetch RSS feeds (needs curl)
• Check Gmail/Calendar (needs gog CLI)
• Get weather data (needs curl + API key access)
• Check Claude usage (needs browser tool)
With the default sandbox, none of these work. The agent correctly reports it can't proceed, but users expect sandbox mode to be functional out of the box.

Related docs:

Sandboxing (https://docs.openclaw.ai/gateway/sandboxing)

[steamb23]

What you're talking about is somewhat achievable by cloning the Git repository and running scripts/sandbox-common-setup.sh.
I'm customizing this by adding the uv package for Python.

uv works fine, but other package managers are problematic.

Installing npm packages globally in a sandbox environment fails because root access is disabled by default.

Overall, OpenClaw's sandboxing configuration offers a wide range of options, but there are many inconsistent options, including those that require sandboxing to work properly, and even those that don't work properly.

Furthermore, most community and official tools aren't designed to work in sandboxes.

Most of them only provide installation methods that require root access, requiring significant user effort to run in the default sandbox.

Honestly, I'm getting tired of setting up sandboxing now, so I'm thinking of giving up...

Disabling the sandbox exposes my machine to RCE attacks, but running it on the host seems like a less daunting task.

[vincentkoc]

Closing as completed based on what is now available in main:

• Functional "batteries-included" sandbox image path:
  • Dockerfile.sandbox-common
  • scripts/sandbox-common-setup.sh
• Docs and usage guidance:
  • /install/docker (sandbox common image section and config example)

This addresses the core usability gap called out here (usable sandbox image beyond the minimal default).

Remaining runtime-architecture work (for example Sysbox/runtime selection) is tracked separately in #7575.