New capability detonates skills in a sandboxed environment and records every action at the LLM and OS level, catching malicious behavior that static scanning and LLM-based evaluation miss
Permiso Security, the unified identity security platform, announced SandyClaw, the first dynamic analysis platform for AI agent skills. SandyClaw executes skills in a sandboxed environment, records every action at the LLM and operating system level, and delivers a verdict backed by multiple detection engines. Permiso platform customers receive unrestricted access.
Also Read: CIO Influence Interview with Gihan Munasinghe, CTO of One Identity
AI agents require skills to perform useful work: downloadable capabilities that teach them how to interact with tools, APIs, and services. Skill marketplaces have become the software supply chain for AI agents, and attackers have already begun publishing malicious skills on these platforms. The current approach to skill security relies on static code analysis or LLM-based evaluation. Neither executes the skill, which means neither can detect behavior that only manifests at runtime.
Permiso’s threat research team was among the earliest to publicly identify and document malicious skills in the wild. That research led directly to SandyClaw.
Unlike static scanning or runtime containment approaches, SandyClaw applies sandbox detonation, a methodology the cybersecurity industry has relied on for evaluating suspicious executables, to the agent skill ecosystem. It records every LLM action, network call, domain resolution, file write, and environment variable access attempt. SSL traffic is intercepted and decrypted. Analysis runs against Sigma, Yara, Nova, and Snort engines augmented with custom Permiso detection rules. SandyClaw works across all major agent frameworks including OpenClaw, Cursor, and Codex.
“Agents are only as trustworthy as the skills they run. As skill marketplaces become the primary distribution channel for agent capabilities, the ability to validate what a skill actually does before it reaches your environment becomes a security requirement, not a nice-to-have. That is what SandyClaw delivers.”
– Paul Nguyen, Co-Founder and Co-CEO, Permiso Security
Key Capabilities
- Dynamic detonation with full behavioral recording that captures every action at the LLM and OS level, including network calls, file writes, environment variable access, and domain resolution.
- Multi-engine detection using Sigma, Yara, Nova, and Snort alongside custom Permiso detection rules, delivering evidence-backed verdicts rather than confidence scores.
- Full traffic visibility with SSL intercept that decrypts encrypted outbound traffic inside the sandbox, exposing exfiltration attempts that would be invisible to tools without decryption capabilities.
- Full verdict transparency that provides the complete behavioral record behind every determination, including every file written, domain resolved, and network call made, so security teams can verify the finding themselves rather than trusting an opaque score.
- Cross-framework support and platform integration covering OpenClaw, Cursor, Codex, and other agent frameworks, with the ability to automatically analyze skills when the Permiso platform detects a download or installation.
“Most skill scanners inspect code or ask an LLM for an opinion. But real risk shows up at runtime: network activity, file writes, and access to sensitive environment variables. SandyClaw was built on the belief that behavior is more revealing than source code alone. We detonate the skill, capture everything it does, and let the evidence speak for itself.”
– Ian Ahl, CTO, Permiso Security
Catch more CIO Insights: CIO as Orchestrator of Cross-Functional Digital Strategy
[To share your insights with us, please write to psen@itechseries.com ]
