CyberBox

Hardened Docker sandbox for bug bounty and offensive security research.

---

Verify before you run

CyberBox is built to be trusted by hunters running it against real targets. Every published image is keyless-signed with cosign (Sigstore Fulcio + public Rekor transparency log), ships a full SBOM, carries SLSA build provenance, and is gated on Trivy CRITICAL before publish. An independent CI job re-verifies the signature and SBOM on a fresh runner — see verify-supply-chain in the workflow.

IMAGE=ghcr.io/prowlrbot/cybersandbox
DIGEST=$(docker buildx imagetools inspect "${IMAGE}:latest" --format '{{ .Manifest.Digest }}')

cosign verify "${IMAGE}@${DIGEST}" \
  --certificate-identity-regexp "^https://github.com/ProwlrBot/CyberBox/.github/workflows/cybersandbox-build.yml@refs/" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

A clean exit is the contract. If cosign verify fails, don't run the image. Full walkthrough — SBOM inspection, Rekor lookup, local CI reproduction — in the Supply-chain trust guide.

This matters: the Checkmarx KICS and Trivy supply-chain incidents in March-April 2026 made provenance an active operational concern. Most hunter toolchains (Kali, BlackArch, ad-hoc Go installs) cannot offer this end-to-end without re-architecting. CyberBox can — out of the box.

---

CyberBox pairs a hardened sandbox container with Prowlr (a Caido proxy plugin), harbinger (an autonomous hunting pipeline), and csbx (a community plugin manager). Built for the hunter who works out of Caido + Obsidian + a local LLM.

What's in the box

Component	Role
cybersandbox	Docker image with 160+ security tools, Ollama client, Metasploit, mounted wordlists volume
Prowlr (Caido plugin)	Scope enforcement, dual-LLM AI analysis (Claude + Ollama), embedded xterm.js terminal, Obsidian findings export, NemoClaw-style guardrails
harbinger	Autonomous recon → scan → report pipeline; Fabric-style prompt patterns
csbx	Plugin manager (Homebrew-tap style); pdtm-compatible install path for Go tools
invoke-claude / invoke-ollama	CLI wrappers for both AI providers with uniform flags

Quick start

Container (pulls the published image from GHCR):

docker pull ghcr.io/prowlrbot/cybersandbox:latest
docker compose up -d          # uses ./docker-compose.yaml in the repo root

If docker compose fails with docker-credential-desktop.exe not found on WSL, drop the stale credsStore: sed -i 's/"credsStore": "desktop.exe",\?//' ~/.docker/config.json (public images need no auth).

Building from source (contributors, custom mounts, Obsidian vault) uses cybersandbox/docker-compose.dev.yml — see cybersandbox/SETUP.md.

Caido plugins:

• prowlr-v0.2.1.zip (this repo) — scope, AI analysis, Obsidian export, guardrails
• ShadowShell (hahwul, recommended companion) — multi-tab terminal with split panes, AI-CLI presets (Claude/Gemini/Codex), and Cmd+J drop-down overlay. Prowlr's terminal tab is intentionally minimal; ShadowShell covers the serious terminal workflow.

Install both via Caido → Settings → Plugins → Install from file.

Host CLI:

export ANTHROPIC_API_KEY=sk-ant-…
./harbinger/bin/harbinger status
./harbinger/bin/harbinger hunt example.com
./harbinger/bin/harbinger pattern analyze_vulns < request.txt

Security posture

Beyond the supply-chain story above, the runtime is hardened end-to-end:

• SSRF allowlist on all AI endpoints (*.anthropic.com https only for Claude)
• AI output always schema-validated before surfacing
• NemoClaw-style guardrails — 7 prompt-injection patterns filtered from traffic before hitting the LLM, 6 secret classes redacted from AI responses (sk-ant-, AKIA, ghp_*, JWTs, etc.)
• Per-provider AI rate limiter
• No hardcoded values — 15+ settings in the Prowlr UI, env vars for every CLI knob
• Container runs non-root, ports bound to 127.0.0.1, vault mounted read-only

See the Supply-chain trust guide, cybersandbox/SECURITY.md, and the hardening log in the changelog.

Plugin marketplace (csbx)

csbx search xss            # community registry
csbx install seclists      # big wordlists
csbx install gf-patterns
csbx pdtm subfinder        # pdtm-format Go tool install
csbx pdtm github.com/lc/gau/v2/cmd/gau   # raw go-install path
csbx list

Registry lives at ProwlrBot/csbx-registry — PRs welcome.

Repo layout

caido-plugin/       Prowlr Caido plugin (TypeScript, IIFE bundle)
cybersandbox/       Dockerfile, compose, SETUP, SECURITY, CHANGELOG
harbinger/          bin/{harbinger,csbx,invoke-claude,invoke-ollama}
                    patterns/  Fabric-style prompt library
                    tests/     bash test harness (16 tests)
.github/            CI workflow, issue + PR templates

Upstream attribution

This project originated as a fork of agent-infra/sandbox. The original README is preserved at UPSTREAM_README.md. All CyberBox-specific code is under the same license as upstream.

Reference sources (patterns extracted, not cloned in bulk):

• projectdiscovery — nuclei/subfinder/httpx/katana + pdtm manifest format
• danielmiessler — SecLists, Fabric prompt patterns
• hahwul — dalfox, Caido plugin patterns, ShadowShell (recommended companion terminal plugin)
• tomnomnom — waybackurls, gau
• wshobson/agents — Claude Code security subagents
• NVIDIA NemoClaw — AI guardrail patterns

Security

Report suspected vulnerabilities privately — see SECURITY.md. Scope, hardening notes, and the disclosure window are in cybersandbox/SECURITY.md.

License

See LICENSE.

---

prowlrbot.com · prowlr@proton.me