Permiso has launched SandyClaw, a dynamic sandbox for AI agent skills that it describes as the first product of its kind.
The launch addresses a growing security concern around downloadable skills that AI agents use to interact with tools, application programming interfaces and online services. According to Permiso, attackers have already begun placing malicious skills on marketplaces, creating a new supply chain risk for businesses using AI agents.
SandyClaw executes a skill in a sandboxed environment instead of relying on static code inspection or a large language model’s assessment of source code. It records actions at both the large language model and operating system levels, including network calls, domain resolution, file writes and attempts to access environment variables.
It also intercepts and decrypts SSL traffic within the sandbox to expose outbound activity that might otherwise remain hidden. Analysis then runs across Sigma, Yara, Nova and Snort detection engines, along with custom detection rules developed by Permiso.
The system works with major agent frameworks including OpenClaw, Cursor and Codex. It can also analyse skills automatically when the Permiso platform detects a download or installation.
Permiso’s research team said the product builds directly on its earlier work identifying malicious AI agent skills in public marketplaces. That research highlighted a gap in existing security approaches: some harmful behaviour appears only when code is executed.
Runtime rocus
Static analysis and model-based review have become common ways to check software components before deployment, but both have limits when code is designed to conceal its behaviour until execution. In AI agent skills, that can include hidden network activity, unauthorised file changes or attempts to retrieve sensitive credentials from a host environment.
Permiso said SandyClaw was built to address that problem by applying the sandbox detonation approach already used elsewhere in cyber security for suspicious executables. Rather than issuing a probability score, the product is designed to produce a verdict backed by a record of observed behaviour.
That record includes actions taken during execution, such as which files were created, which domains were resolved and which outbound connections were attempted. Permiso says this gives security teams a direct evidence trail they can examine themselves.
“Agents are only as trustworthy as the skills they run. As skill marketplaces become the primary distribution channel for agent capabilities, the ability to validate what a skill actually does before it reaches your environment becomes a security requirement, not a nice-to-have. That is what SandyClaw delivers,” said Paul Nguyen, Co-Founder and Co-CEO of Permiso.
Broader risk
The rise of AI agents has created a parallel market for reusable skills, plug-ins and connectors that expand what those agents can do. As organisations adopt these tools, security teams are facing a familiar software supply chain problem in a new form: third-party components that may appear harmless in code review but behave differently when run.
The issue is particularly sensitive in enterprise settings, where AI agents may have access to internal systems, cloud environments, credentials or data repositories. A malicious skill that can make network requests, write files or read environment variables could create a path to data theft or further compromise.
Permiso’s approach focuses on monitoring behaviour inside an isolated environment before a skill is trusted in production. By decrypting traffic and preserving execution records, the product aims to help investigators understand not only whether a skill is risky, but also what it attempted to do.
SandyClaw is available immediately, and customers of the wider Permiso platform will have unrestricted access. Permiso sells identity security tools focused on threats involving human, machine and AI identities across cloud and on-premise environments.
“Most skill scanners inspect code or ask an LLM for an opinion. But real risk shows up at runtime: network activity, file writes, and access to sensitive environment variables. SandyClaw was built on the belief that behavior is more revealing than source code alone. We detonate the skill, capture everything it does, and let the evidence speak for itself,” said Ahl.
Click Here For The Original Source.
