technicalpickles/sandbox-first
plugins/sandbox-first/skills/sandbox-first/SKILL.md
Use when a Bash command fails in the sandbox, or when considering whether to use dangerouslyDisableSandbox. Guides sandbox-first execution and sandbox config diagnosis.
$ install --global
skillsauthnpx skillsauth add technicalpickles/pickled-claude-plugins sandbox-firstInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 15, 2026, 5:03 AM7.4s1 file scanned
SKILL.md
- name:
- sandbox-first
- description:
- Use when a Bash command fails in the sandbox, or when considering whether to use dangerouslyDisableSandbox. Guides sandbox-first execution and sandbox config diagnosis.
Sandbox-First Execution
Core Rule
Always run Bash commands sandboxed first. Never set dangerouslyDisableSandbox: true unless
a sandboxed attempt has already failed in this session, or the command is listed in
skip_failure_requirement (see Configured Exceptions below).
When a Sandboxed Command Fails
Before retrying with dangerouslyDisableSandbox:
- Read the error. What specifically failed?
- Is it a sandbox restriction? Look for:
- "Operation not permitted" (filesystem write outside allowed paths)
- "Connection refused" or network timeouts (host not in allowedHosts)
- "Permission denied" on paths outside the project
- macOS Mach port / XPC denial — crash containing
bootstrap_check_inand "Permission denied (1100)". The surface error looks like an application crash (e.g. ChromiumCheck failed: kr == KERN_SUCCESS), but the root cause is seatbelt denyingmach-register/mach-lookupfor a service. Seen with Playwright launching headless Chromium, and applies to other multi-process macOS tools (Electron, Puppeteer, etc.). Sandbox config cannot grant Mach port access, so this genuinely requiresdangerouslyDisableSandbox.
- Suggest a config fix. Tell the user what to add to
~/.claude/settings.json:- Network: add host to
sandbox.network.allowedHosts - Filesystem: add path to
sandbox.filesystem.allowWrite
- Network: add host to
- If retrying unsandboxed, explain what restriction was hit and why the sandbox config change would be the better long-term fix.
Configured Exceptions
Some commands are known to always fail in the sandbox (e.g. docker, colima ssh).
These can be configured in ~/.claude/sandbox-first.json or .claude/sandbox-first.json
under the skip_failure_requirement key. The enforcement hook will allow
dangerouslyDisableSandbox: true for these commands without requiring a prior
sandboxed failure.
What NOT to Do
- Do not preemptively use
dangerouslyDisableSandboxbecause you think a command "might" fail in the sandbox. Try it first. - Do not silently retry unsandboxed after a sandbox failure. Always surface what happened.
- Do not use
dangerouslyDisableSandboxfor convenience. It exists for cases where the sandbox genuinely cannot support the operation.
Related Skills
technicalpickles/plugins/writing-tools/skills/writing-for-scannability
tools
VerifiedTrustedCommunity
--- name: writing-for-scannability description: Use when structuring prose so readers can skim it - drafting or restructuring READMEs, docs, PR or issue bodies, design docs, RFCs, or any long-form text where a wall of prose hides the structure. Also use when explicitly asked to make something scannable or skimmable, convert prose to a list, surface a buried list, fix a wall of text, or decide whether bullets or prose fit. Strong signal: text with parallel sentence shapes, contrast markers ("that
10SKILL.mdUpdated Jun 2, 2026
technicalpickles/actually-lsp-ignore
development
VerifiedTrustedCommunity
Ignore actually-lsp nudges for an ecosystem in this project. Use when the user wants to silence, dismiss, or ignore the LSP setup nudges for a specific ecosystem (Rust, TypeScript, Ruby), or invokes `/actually-lsp-ignore` directly. Writes `dismissed=true` to `.claude/actually-lsp.json`. Persistent across sessions for this project only.
10SKILL.mdUpdated May 28, 2026
technicalpickles/actually-lsp-doctor
tools
VerifiedTrustedCommunity
Diagnose and fix LSP setup for the current project's detected ecosystems (Rust, TypeScript, Ruby). Use when the SessionStart hook nudged about a missing LSP plugin, when the env isn't ready (no `bundle install`, no `cargo build`, missing server binary), when LSP calls are failing, or when the user invokes `/actually-lsp-doctor` directly. Walks the per-ecosystem state machine, reports what's missing, then runs the fix.
10SKILL.mdUpdated May 28, 2026
technicalpickles/plugins/github-actions/skills/investigating-runs
tools
VerifiedTrustedCommunity
--- name: investigating-runs description: Use whenever the user mentions a GitHub Actions / GHA run, even casually — invoke this skill before reaching for raw `gh` commands, because the bundled `gha-snapshot` helper distills `gh run view --log-failed` (a firehose) into a readable block with per-job status, failed-step log tails, and annotations. Specific triggers (any one is enough): a `github.com/.../actions/runs/...` URL; the phrase "GitHub Actions" or "GHA"; the `gh run` CLI; a failing workfl
10SKILL.mdUpdated May 21, 2026