[Feature]: Mount skill directories read-only in sandbox containers

[tasaankaeris]

Summary

Skill directories are copied into the writable sandbox workspace, allowing agents to modify skill files; they should be bind-mounted read-only instead.

Problem to solve

Skills are instructions, they never themselves should need to be writable. It is impossible to enforce any runtime security if the very instruction sets agents are given can be modified by attacking code.

Skill directories are writable by the agent in all sandbox workspaceAccess modes:

• "rw": The host workspace is mounted read-write at /workspace. Skills at <workspace>/skills/ are directly writable through this mount
  • syncSkillsToWorkspace is not called (src/agents/sandbox/context.ts:48, guard: if (cfg.workspaceAccess !== "rw"))
• "ro": The host workspace is mounted read-only, but skills are copied into the sandbox workspace via syncSkillsToWorkspace (src/agents/sandbox/context.ts:50-54)
  • The sandbox workspace is writable (it's the agent's working directory), so the copies are writable.
• "none": No host workspace mounted
  • Skills are copied into the writable sandbox workspace, same as "ro"

In every case, a sandboxed agent can modify skill files. The exec tool doesn't bypass read-only mounts (those are kernel-enforced), but it doesn't need to: skills simply aren't in any read-only mount. They're either part of a writable host mount (rw) or writable copies in the sandbox workspace (ro/none).

Proposed solution

Mount each skill directory as a read-only bind mount in all workspaceAccess modes:

-v /home/user/.openclaw/skills/my-skill:/workspace/skills/my-skill:ro
-v /path/to/workspace/.agents/skills/git-skill:/workspace/skills/git-skill:ro

• "rw" mode: The host workspace is still mounted read-write at /workspace, but individual skill directories are overlaid with :ro mounts at /workspace/skills/. Docker specific-path mounts take precedence over broader mounts, so the agent can write to /workspace but not to /workspace/skills/.
• "ro"/"none" modes: Skip the syncSkillsToWorkspace copy entirely. Mount skill source directories directly from the host with :ro. No copies, no writable duplicates.
  This gives kernel-enforced skill immutability regardless of workspace access mode.

The infrastructure for this already exists:

• docker.binds supports :ro mounts (src/agents/sandbox/docker.ts:318-322)
• parseSandboxBindMount correctly parses the :ro flag (src/agents/sandbox/fs-paths.ts:26-53)
• Workspace mounts already use :ro when workspaceAccess === "ro" (src/agents/sandbox/docker.ts:345-347)
• Docker handles overlapping mounts correctly -- /workspace/skills/my-skill:ro is kernel-enforced read-only even if /workspace is writable

Alternatives considered

• Application-level write guard: Extend wrapToolWorkspaceRootGuard in src/agents/pi-tools.read.ts to reject writes to skills/ paths
  • Weaker -- an agent with exec access can bypass JavaScript path checks via shell commands. Still useful as a complementary measure for non-sandboxed agents
• Hash verification: Hash skill files at load time, verify before use. Detects tampering but doesn't prevent it. A detection-only measure.
• Sandbox workspace read-only: Make the entire sandbox workspace read-only
  • Too restrictive -- agents need to write working files during sessions
• Keep the copy, mark copied dir read-only via chmod
  • Possible but fragile -- the agent runs as the same user inside the container and chmod is reversible - by contrast kernel-enforced bind mount :ro is not bypassable from inside the container

Impact

Affected users/systems:

All users who have enabled sandboxing (agents.defaults.sandbox.mode: "non-main" or "all"). These users have explicitly opted into isolation -- they expect the sandbox to be a security boundary. This gap means their assumed security posture is stronger than their actual posture.

Severity:

This is not a crash or a UX annoyance. It is a gap in the security model that is invisible to the operator. There is no warning or error when an agent modifies a skill file. The operator has no indication it happened.

Frequency:

Always present

Consequences:

Agent self-modification: An agent can rewrite skill instructions mid-session to alter its own behavior, bypass operator-intended guardrails encoded in skills, or escalate its own capabilities.

Cross-skill tampering: An agent can modify one skill's scripts to affect behavior triggered by another skill's instructions. The operator sees two independent skills but the agent has merged them.

Persistence risk: If the sandbox container is reused across sessions (depending on sandbox lifecycle config), modified skill copies persist into future sessions. The agent's modifications outlive the session that made them.

Evidence/examples

Docker read-only mounting itself was designed with this exact sort of security issue in mind.

MCP incidentally provides the same sort of concept - an agent can call MCP - it cannot alter the MCP server.

Additional information

This could easily be an option in openclaw.json (skillReadOnly: true?) rather than enforced as a breaking change, depending on desired impact.

[steipete]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep this issue open. Current main still does not generate automatic read-only skill directory mounts: non-rw sandbox runs still copy eligible skills into the sandbox workspace, rw runs still expose workspace skills through the writable workspace mount, and the shipped #22669 work only proves custom bind precedence rather than per-skill overlays.

Required change / next step:

Keep this issue open for maintainer/secops design. The fix should derive eligible skill source directories from the skills loader, append Docker read-only overlays after broader workspace mounts, avoid writable duplicate skill copies when source mounts are available, represent generated mounts in config hashing and fs bridges, define SSH/OpenShell behavior, and update sandbox/skills docs plus tests for all workspaceAccess modes.

Best possible solution:

Keep this issue open for maintainer/secops design. The fix should derive eligible skill source directories from the skills loader, append Docker read-only overlays after broader workspace mounts, avoid writable duplicate skill copies when source mounts are available, represent generated mounts in config hashing and fs bridges, define SSH/OpenShell behavior, and update sandbox/skills docs plus tests for all workspaceAccess modes.

Acceptance criteria:

• pnpm test src/agents/sandbox.resolveSandboxContext.test.ts src/agents/sandbox/docker.config-hash-recreate.test.ts src/agents/sandbox/fs-paths.test.ts src/agents/sandbox/workspace-mounts.test.ts src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.test.ts
• pnpm check:changed in Blacksmith Testbox after code/docs changes

What I checked:

• Non-rw sandboxes still sync skills into the sandbox workspace: ensureSandboxWorkspaceLayout chooses the sandbox workspace whenever workspaceAccess is not rw and then calls syncSkillsToWorkspace for those non-rw modes. (src/agents/sandbox/context.ts:45, 20e21173715e)
• Skill staging remains copy-based: syncSkillsToWorkspace removes/recreates targetWorkspace/skills and copies each eligible skill directory with fsp.cp; it does not return bind specs, chmod copied trees, or mark skill entries read-only. (src/agents/skills/workspace.ts:910, 20e21173715e)
• Docker create path has no generated skill overlays: Container creation builds base args, appends managed workspace mounts, then appends only configured custom binds. There is no path deriving /workspace/skills/<name>:ro mounts from loaded skill entries. (src/agents/sandbox/docker.ts:486, 20e21173715e)
• Workspace mounts are still coarse-grained: appendWorkspaceMountArgs models only the main workspace mount and optional /agent mount based on workspaceAccess; it has no per-skill read-only mount concept. (src/agents/sandbox/workspace-mounts.ts:14, 20e21173715e)
• FS bridge has no automatic skill mount source: buildSandboxFsMounts models workspace, agent, and configured bind mounts only, so generated skill overlays would not currently be reflected in path resolution or writability checks. (src/agents/sandbox/fs-paths.ts:61, 20e21173715e)
• Docs still describe mirrored skills for sandbox access: The sandbox docs say workspaceAccess: "none" mirrors eligible skills into the sandbox workspace and "rw" reads workspace skills from /workspace/skills, matching the current writable-copy/writable-mount behavior. Public docs: docs/gateway/sandboxing.md. (docs/gateway/sandboxing.md:306, 20e21173715e)

Likely related people:

• steipete: CODEOWNERS routes src/agents/sandbox/** and sandbox docs through secops, the issue discussion has steipete's maintainer review keeping this open, and GitHub path history shows repeated recent sandbox context/Docker/fs-path maintenance including the [Bug]: Sandbox Docker binds within agent workspace are ignored #22669 bind-precedence fix. (role: primary sandbox/security maintainer and review route; confidence: high; commits: 7f3f108521f4, 893c1d61ee0f, 3e834f2f83d9; files: .github/CODEOWNERS, src/agents/sandbox/context.ts, src/agents/sandbox/docker.ts)
• vincentkoc: GitHub path history shows recent maintenance across the Docker sandbox create path, sandbox context, and skills workspace behavior that a read-only skill mount design would likely cross. (role: recent adjacent sandbox and skills maintainer; confidence: medium; commits: d70191f8afd4, 47dc9f7fc0b, 74e7b8d47b18; files: src/agents/sandbox/docker.ts, src/agents/sandbox/context.ts, src/agents/skills/workspace.ts)
• gumadeiras: Recent history ties gumadeiras to preserving remote skill sync eligibility and inherited agent skill allowlists, both central to deriving the eligible skill source directories that would need read-only mounts. (role: skill filtering/sync behavior maintainer; confidence: medium; commits: 5e365a8ec4a5, ddd250d13075; files: src/agents/sandbox/context.ts, src/agents/skills/workspace.ts)

Remaining risk / open question:

• Closing now would leave sandbox users with writable skill copies in non-rw modes and writable workspace skill directories in rw mode.
• A Docker-only quick fix could diverge from SSH/OpenShell sandbox semantics unless maintainers define the backend contract first.
• Generated skill mounts need to be included in config hashing and fs-bridge mount modeling, or existing containers and file tools could disagree about path writability.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 20e21173715e.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Latest ClawSweeper review: 2026-05-23 05:44 UTC / May 23, 2026, 1:44 AM ET.

Workflow note: Future ClawSweeper reviews update this same comment in place.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

Summary
Keep open. Current main and the latest release still lack generated read-only skill mounts, non-rw sandbox skill access is still copy-based, rw workspace skills still sit under the writable workspace mount, and the open linked fix PR has not merged.

Reproducibility: yes. at source level. Current main still lacks generated per-skill read-only overlays, rw workspace skills remain under the writable workspace mount, and non-rw skill access remains copy-based; no live container run was performed in this read-only review.

Next step
An open linked PR already targets the issue, but the remaining work is security-sensitive sandbox design and review rather than a separate automated fix PR.

Security
Needs attention: The issue reports a real sandbox authority gap: skill instruction files are not modeled as immutable read-only mounts across sandbox modes.

Review details

Best possible solution:

Design and land an owner-reviewed sandbox skill-mount contract that derives eligible skill sources from the loader, uses read-only mount-backed protection after broader workspace mounts, avoids writable duplicates, and updates hashing, fs-path authority, backend docs, and tests across all workspace access modes.

Do we have a high-confidence way to reproduce the issue?

Yes, at source level. Current main still lacks generated per-skill read-only overlays, rw workspace skills remain under the writable workspace mount, and non-rw skill access remains copy-based; no live container run was performed in this read-only review.

Is this the best way to solve the issue?

Yes on the direction, but not as a narrow autonomous patch. Kernel-enforced read-only mounts derived from the skills loader look like the maintainable end state, while rollout, config hashing, fs bridge behavior, and non-Docker backend semantics need maintainer/security design.

Label justifications:

• P2: The issue describes a concrete sandbox hardening gap for sandbox-enabled users, but it is not a confirmed active exploit, crash loop, or outage.
• impact:security: The request concerns sandbox boundaries and mutable skill instruction files inside sandboxed agent environments.

Security concerns:

• [medium] Skill instructions remain writable copies in non-rw sandboxes — src/agents/skills/workspace.ts:1292
  Current main copies eligible skill directories into targetWorkspace/skills with fsp.cp, so the sandbox workspace contains mutable instruction files instead of kernel-enforced read-only mounts.
  Confidence: 0.9
• [medium] Workspace skills remain writable in rw sandboxes — src/agents/sandbox/context.ts:45
  In rw mode the active workspace is the agent workspace and the workspace mount is writable, so workspace skills under /workspace/skills are not protected by a narrower read-only overlay.
  Confidence: 0.86
• [medium] Generated skill mount authority is not modeled — src/agents/sandbox/fs-paths.ts:67
  The fs bridge currently models only workspace, agent, and configured bind mounts, so generated read-only skill mounts require an explicit path and writability contract.
  Confidence: 0.86

Acceptance criteria:

• node scripts/run-vitest.mjs src/agents/sandbox.resolveSandboxContext.test.ts src/agents/sandbox/docker.config-hash-recreate.test.ts src/agents/sandbox/fs-paths.test.ts src/agents/sandbox/workspace-mounts.test.ts src/agents/skills.build-workspace-skills-prompt.syncs-merged-skills-into-target-workspace.test.ts
• node scripts/crabbox-wrapper.mjs run --shell -- "pnpm check:changed" after code/docs changes
• Real Docker sandbox proof across workspaceAccess=rw, workspaceAccess=ro, and workspaceAccess=none

What I checked:

• Current source: non-rw sandbox modes still stage skills by copy: ensureSandboxWorkspaceLayout selects the sandbox workspace for non-rw modes and calls syncSkillsToWorkspace; it does not derive read-only skill bind mounts. (src/agents/sandbox/context.ts:45, 5656f687c136)
• Current source: skill sync remains mutable copy behavior: syncSkillsToWorkspace removes/recreates targetWorkspace/skills and copies each skill with fsp.cp, with no mount metadata or immutable source contract. (src/agents/skills/workspace.ts:1268, 5656f687c136)
• Current source: Docker create path has no generated skill overlays: Container creation appends managed workspace mounts and then configured custom binds only; there is no generated /workspace/skills or .agents/skills read-only overlay from loaded skill entries. (src/agents/sandbox/docker.ts:560, 5656f687c136)
• Current source: fs bridge does not model generated skill mount authority: buildSandboxFsMounts models workspace, optional agent workspace, and configured binds only, so a read-only skill mount design still needs path and writability modeling here. (src/agents/sandbox/fs-paths.ts:67, 5656f687c136)
• Docs still describe mirrored skills rather than read-only mounts: The sandboxing docs say workspaceAccess: "none" mirrors eligible skills into the sandbox workspace and "rw" reads workspace skills from /workspace/skills, matching the reported copy/writable-mount model. Public docs: docs/gateway/sandboxing.md. (docs/gateway/sandboxing.md:321, 5656f687c136)
• Latest release still has the same behavior: Tag v2026.5.20 points at e510042870cf248c0e0461b6f8d427326266141d and still has the non-rw sync branch plus copy-based fsp.cp skill staging. (src/agents/sandbox/context.ts:45, e510042870cf)

Likely related people:

• steipete: Prior review kept this security-sensitive sandbox item open, CODEOWNERS routes sandbox paths through secops, and history shows recent work on sandbox layout, Docker binds, and skill sync-adjacent code. (role: security review route and recent sandbox contributor; confidence: high; commits: 182afe9f594d, 6f895eb831e2, 7f3f108521f4; files: src/agents/sandbox/context.ts, src/agents/sandbox/docker.ts, src/agents/skills/workspace.ts)
• vincentkoc: Recent history touches Docker sandbox config, backend/fs-path types, and skills discovery surfaces that a read-only skill mount contract would cross. (role: recent adjacent sandbox and skills contributor; confidence: medium; commits: d70191f8afd4, 47dc9f7fc0b9, 7d6af7e154c9; files: src/agents/sandbox/docker.ts, src/agents/sandbox/fs-paths.ts, src/agents/sandbox/context.ts)
• gumadeiras: Recent merged work preserved remote skill sync eligibility and inherited agent skill allowlists, both central to selecting eligible skill source directories for read-only handling. (role: recent skill eligibility contributor; confidence: medium; commits: 5e365a8ec4a5, ddd250d13075; files: src/agents/sandbox/context.ts, src/agents/skills/workspace.ts)
• Vignesh Natarajan: Introduced the shared bind-aware sandbox FS path resolver that any generated read-only skill mount authority must integrate with. (role: fs path resolver introducer; confidence: medium; commits: eafda6f52671; files: src/agents/sandbox/fs-paths.ts)
• joshavant: Recent commits touched Docker bind write policy and sandbox execution hardening near the same writability and authority model. (role: recent adjacent sandbox policy contributor; confidence: medium; commits: 3ee03420613f, 045a581069dc, ba06376c7955; files: src/agents/sandbox/docker.ts, src/agents/sandbox/fs-paths.ts, docs/gateway/sandboxing.md)

Remaining risk / open question:

• A Docker-only overlay fix could diverge from SSH/OpenShell sandbox semantics unless maintainers define the backend contract first.
• Generated skill mounts need to participate in config hashing and fs-bridge writability modeling, or existing containers and file tools can disagree about authority.
• The open accessibility PR at fix: sync skills to workspace in rw mode #48034 moves in a copy-based direction, so maintainers should reconcile skill accessibility with immutable skill handling before landing either path.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 5656f687c136.