Run remote code validation, PR checks, and secure scripted workflows.
The skill itself is marked prompt-only and open-source, so its direct execution surface is low. However, the materials describe a Crabbox CLI that requires login, syncs local checkouts, and dispatches work to remote broker/cloud environments, so real-world use should be treated cautiously as a remote execution workflow.
The materials conflict with the metadata: the metadata says no keys are needed, but the README explicitly describes broker login, token storage in the user config file, and coordinator token input via stdin. This implies authentication credentials and possible secret environment forwarding, but there is no explicit evidence of malicious credential abuse.
The README clearly states that it connects to a remote broker URL, syncs the current checkout to remote boxes, and handles logs, results, caches, and possible secret/env forwarding. This is typical network egress for a remote execution tool, but the actual data destination depends on the operator-configured broker/provider because no fixed public endpoint is declared.
The skill itself is prompt-only, but the described Crabbox CLI is used to run commands remotely, warm reusable boxes, hydrate Actions, and execute scripts, with local invocation of the `crabbox` binary triggering remote execution. These are standard remote runner/CLI capabilities, and no additional privilege-abuse red flags are evident from the materials.
The README states it runs from the repository root and mirrors the current checkout to a remote environment for validation; it also reads/writes the user config directory and keeps logs/results/caches. It can access local repository contents, configuration, and potentially environment variables. The scope is broadly consistent with its stated purpose, but sensitive code or secrets require careful handling.
The positive factor is that it is open-source on GitHub and the source can be audited. However, there is no declared license, community adoption is 0 stars, maintenance status is unknown, and the materials suggest obtaining binaries from release docs or local builds. Overall supply-chain confidence is limited, so source and release artifacts should be reviewed before use.
Copy the install command and let the AI configure it · recommended for beginners
Please install the "crabbox" skill from askskill: 1. Download https://raw.githubusercontent.com/openclaw/crabbox/main/.agents/skills/crabbox/SKILL.md 2. Save it as ~/.claude/skills/crabbox/SKILL.md 3. Reload skills and tell me it's ready
Use Crabbox to run a remote validation for this GitHub PR: check out the latest code, install dependencies, run tests and linting, and return timing, logs, and a result summary.
A complete PR validation report with status, key logs, timing, and a summary of failures.
Use Crabbox to run pre-deployment check scripts in an isolated environment, securely forward required environment variables without exposing secrets in logs, and report results and cache hits.
Script execution results, secure handling notes, cache usage details, and a summary for release decisions.
Use Crabbox to rerun a failed job with a warmed reusable environment, keep captures, logs, and timing data, and automatically clean up the lease afterward.
A reproducible failure record including captures, logs, performance timing, and cleanup completion status.
Use Crabbox when a project needs remote proof, larger cloud capacity, warm reusable runner state, Actions hydration, fresh PR checkouts, live-secret smoke tests, durable logs/results, or fast sync from a dirty local checkout.
crabbox.yaml or .crabbox.yaml before adding flags.command -v crabbox && crabbox --version && crabbox --help | sed -n '1,80p'.bin/crabbox after a local
build.crabbox login --url <broker-url>.broker.url is configured, crabbox login reuses that broker URL.printf '%s' "$CRABBOX_COORDINATOR_TOKEN" | crabbox login --url <broker-url> --provider aws --token-stdin.~/Library/Application Support/crabbox/config.yaml on
macOS or the platform user config dir elsewhere. It should contain:broker:
url: <broker-url>
token: <token>
provider: aws
For OpenClaw/OpenClawd validation, prefer Blacksmith Testbox first when the workflow already gives the needed setup and the delegated command path is enough:
crabbox run --provider blacksmith-testbox --timing-json -- pnpm test
If Blacksmith is queued, unavailable, unauthenticated, or lacks the SSH-backed feature needed for the proof, rerun the same command shape on AWS:
crabbox run --provider aws --timing-json -- pnpm test
Actions setup remains repo-owned in both paths. Blacksmith owns Testbox workflow hydration and command transport. AWS uses Crabbox SSH sync/run and Actions hydration for the persistent workspace. This is operator choice, not automatic CLI fallback.
One-shot command:
crabbox run --timing-json --preflight -- pnpm test
Warm a reusable box:
crabbox warmup --idle-timeout 90m
crabbox warmup --provider aws --class beast --market on-demand --idle-timeout 90m
crabbox warmup --provider aws --os ubuntu:26.04 --desktop --browser --desktop-env wayland
crabbox warmup --provider aws --os ubuntu:26.04 --desktop --browser --desktop-env gnome
ubuntu:26.04 is the preferred portable Linux OS selector where the provider
catalog supports it. Use --os ubuntu:24.04 only when a test must stay on the
previous LTS. Explicit provider image flags still win over --os.
Repos with actions.workflow hydrate automatically during crabbox run. Use
manual hydration when you want to prepare a reused lease before running commands:
crabbox actions hydrate --id <cbx_id-or-slug>
Use crabbox actions hydrate --github-runner --id <cbx_id-or-slug> when the
workflow needs full GitHub Actions semantics, repository secrets, OIDC, service
containers, or unsupported uses: steps.
Run commands:
crabbox run --id <cbx_id-or-slug> -- pnpm test:changed
crabbox run --id <cbx_id-or-slug> --full-resync -- pnpm test:changed
crabbox run --id <cbx_id-or-slug> --shell "corepack enable && pnpm install --frozen-lockfile && pnpm test"
For package-manager commands on raw AWS/Hetzner boxes, rely on configured
…
Audit and harden OpenClaw hosts for security and operational health.
Automate OpenClaw nightly releases, branch maintenance, and forward-porting to main.
Run Parallels smoke tests with Discord roundtrip verification across host and guest.
Debug Node.js apps with inspect, breakpoints, heap, and CPU profiling.
Generate shareable code or text diffs for review and collaboration.
List chats, review message history, and send iMessage or SMS from CLI.
Run cross-platform remote validation with Crabbox and report the actual provider ID.
Run cross-platform OpenClaw remote validation with provider and lease reporting.
Reproduce and record real Telegram interactions on Crabbox for behavior proof.
Automate Kickbox email verification and related data workflows through Rube MCP.
Run deterministic code linting, formatting, security scans, and guided code improvements.
Unify multiple MCP servers through one interface for cleaner tool discovery and execution.