Free SKILL.md scraped from GitHub. Clone the repo or copy the file directly into your Claude Code skills directory.
npx versuz@latest install brycewang-stanford-awesome-agent-skills-for-empirical-research-skills-43-wentorai-research-plugins-skills-tools-code-exec-sandbgit clone https://github.com/brycewang-stanford/Awesome-Agent-Skills-for-Empirical-Research.gitcp Awesome-Agent-Skills-for-Empirical-Research/SKILL.MD ~/.claude/skills/brycewang-stanford-awesome-agent-skills-for-empirical-research-skills-43-wentorai-research-plugins-skills-tools-code-exec-sandb/SKILL.md---
name: sandbox-execution-guide
description: "Secure sandboxed code execution environments for reproducible research computing"
metadata:
openclaw:
emoji: "🛡️"
category: "tools"
subcategory: "code-exec"
keywords: ["sandbox execution", "code runner", "literate programming", "containerization", "reproducible computing"]
source: "wentor"
---
# Sandbox Execution Guide
A skill for setting up and using sandboxed code execution environments for research computing. Covers containerized execution, security considerations, resource management, and integration with research workflows.
## Why Sandboxed Execution?
Research code often requires:
- Isolation from the host system for security
- Reproducible environments across machines
- Resource limits to prevent runaway computations
- Multi-language support (Python, R, Julia, MATLAB)
## Docker-Based Sandboxes
### Creating a Research Container
```dockerfile
# Dockerfile for a reproducible research environment
FROM python:3.11-slim
# System dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential \
gfortran \
libopenblas-dev \
&& rm -rf /var/lib/apt/lists/*
# Create non-root user for security
RUN useradd -m -s /bin/bash researcher
USER researcher
WORKDIR /home/researcher
# Pin all dependencies
COPY requirements.txt .
RUN pip install --user --no-cache-dir -r requirements.txt
# Copy project files
COPY --chown=researcher:researcher . /home/researcher/project
WORKDIR /home/researcher/project
# Resource limits set at runtime, not build time
CMD ["python", "main.py"]
```
### Running with Resource Limits
```bash
# Run with CPU, memory, and time constraints
docker run \
--cpus="2.0" \
--memory="4g" \
--memory-swap="4g" \
--pids-limit=100 \
--network=none \
--read-only \
--tmpfs /tmp:size=512m \
--timeout 3600 \
research-sandbox:latest python analysis.py
# Mount data as read-only, output directory as writable
docker run \
-v /data/raw:/data:ro \
-v /data/results:/output:rw \
--cpus="4.0" \
--memory="16g" \
research-sandbox:latest python pipeline.py
```
## Python Sandbox with Resource Limits
### Process-Level Isolation
```python
import subprocess
import resource
import signal
import tempfile
import os
def run_sandboxed(code: str, timeout: int = 60,
max_memory_mb: int = 512) -> dict:
"""
Execute Python code in a sandboxed subprocess with resource limits.
Args:
code: Python code string to execute
timeout: Maximum execution time in seconds
max_memory_mb: Maximum memory in megabytes
"""
with tempfile.NamedTemporaryFile(mode='w', suffix='.py', delete=False) as f:
f.write(code)
script_path = f.name
try:
result = subprocess.run(
['python', '-u', script_path],
capture_output=True,
text=True,
timeout=timeout,
env={
'PATH': '/usr/bin:/usr/local/bin',
'HOME': '/tmp',
'PYTHONDONTWRITEBYTECODE': '1'
}
)
return {
'stdout': result.stdout,
'stderr': result.stderr,
'returncode': result.returncode,
'timed_out': False
}
except subprocess.TimeoutExpired:
return {
'stdout': '',
'stderr': f'Execution timed out after {timeout}s',
'returncode': -1,
'timed_out': True
}
finally:
os.unlink(script_path)
# Example usage
result = run_sandboxed("""
import numpy as np
data = np.random.randn(1000)
print(f"Mean: {data.mean():.4f}")
print(f"Std: {data.std():.4f}")
""", timeout=30, max_memory_mb=256)
print(result['stdout'])
```
## Nix-Based Reproducible Environments
For maximum reproducibility, use Nix to pin every dependency including system libraries:
```nix
# shell.nix for a research project
{ pkgs ? import (fetchTarball {
url = "https://github.com/NixOS/nixpkgs/archive/nixos-23.11.tar.gz";
}) {} }:
pkgs.mkShell {
buildInputs = with pkgs; [
python311
python311Packages.numpy
python311Packages.scipy
python311Packages.pandas
python311Packages.matplotlib
python311Packages.scikit-learn
R
rPackages.ggplot2
rPackages.dplyr
];
shellHook = ''
echo "Research sandbox activated"
echo "Python: $(python --version)"
echo "R: $(R --version | head -1)"
'';
}
```
```bash
# Enter the reproducible environment
nix-shell shell.nix
# Or use flakes for even better reproducibility
nix develop
```
## Security Best Practices
When running untrusted or third-party code:
1. **Network isolation**: Use `--network=none` in Docker to prevent data exfiltration
2. **Filesystem restrictions**: Mount data as read-only, limit writable paths
3. **Resource caps**: Always set CPU, memory, and time limits
4. **User isolation**: Run as non-root user inside the container
5. **Syscall filtering**: Use seccomp profiles to restrict system calls
6. **Output sanitization**: Validate and sanitize all output before processing
## Integration with CI/CD
Automate research pipeline execution with GitHub Actions:
```yaml
name: Research Pipeline
on:
push:
paths: ['src/**', 'data/**']
jobs:
run-analysis:
runs-on: ubuntu-latest
container:
image: research-sandbox:latest
options: --cpus 4 --memory 8g
steps:
- uses: actions/checkout@v4
- run: python src/01_preprocess.py
- run: python src/02_analyze.py
- run: python src/03_visualize.py
- uses: actions/upload-artifact@v4
with:
name: results
path: output/
```
This ensures every commit triggers a fresh, sandboxed execution of the full pipeline, catching environment-dependent bugs and ensuring reproducibility.