Permiso Security Launches SandyClaw, a Dynamic Sandbox That Detonates AI Agent Skills Before They Run

Permiso Security on April 2 launched SandyClaw, a product that executes AI agent skills in a sandboxed environment and records every action at the LLM and operating system level before the skill touches a production system. The product works across OpenClaw, Cursor, and Codex, and is the first purpose-built dynamic analysis platform for the agent skill ecosystem, according to the company’s announcement via BusinessWire.

How SandyClaw Works

AI agents require downloadable skills to interact with tools, APIs, and services. Skill marketplaces have become the software supply chain for agents, and Permiso’s threat research team says attackers have already published malicious skills on these platforms. Current approaches rely on static code analysis or LLM-based evaluation, neither of which executes the skill, meaning neither catches behavior that only shows up at runtime.

SandyClaw applies sandbox detonation — a technique the cybersecurity industry has used for years to evaluate suspicious executables — to agent skills specifically. It records every LLM action, network call, domain resolution, file write, and environment variable access attempt. SSL traffic is intercepted and decrypted inside the sandbox, exposing exfiltration attempts invisible to tools without decryption, according to CIO Influence. Detections run against Sigma, Yara, Nova, and Snort engines alongside custom Permiso rules.

“Agents are only as trustworthy as the skills they run,” Permiso co-founder and co-CEO Paul Nguyen said in the announcement. “The ability to validate what a skill actually does before it reaches your environment becomes a security requirement, not a nice-to-have.”

CTO Ian Ahl added: “Most skill scanners inspect code or ask an LLM for an opinion. But real risk shows up at runtime: network activity, file writes, and access to sensitive environment variables.”

Why It Matters for Builders

SandyClaw’s cross-framework support covering OpenClaw, Cursor, and Codex positions it for the multi-framework enterprise architectures now emerging. The product integrates into the existing Permiso platform and automatically triggers analysis when a skill download or installation is detected. Permiso platform customers receive unrestricted access.

The timing is notable. The Transparency Coalition for AI published a risk guide for OpenClaw agents this week identifying skill-level access as a key concern. SandyClaw is the first commercial product to directly address that specific layer of the agent security stack.