Hardened Docker sandbox for bug bounty and offensive security research.
CyberBox pairs a hardened sandbox container with Prowlr (a Caido proxy plugin), harbinger (an autonomous hunting pipeline), and csbx (a community plugin manager). Built for the hunter who works out of Caido + Obsidian + a local LLM.
| Component | Role |
|---|---|
| cybersandbox | Docker image with 160+ security tools, Ollama client, Metasploit, mounted wordlists volume |
| Prowlr (Caido plugin) | Scope enforcement, dual-LLM AI analysis (Claude + Ollama), embedded xterm.js terminal, Obsidian findings export, NemoClaw-style guardrails |
| harbinger | Autonomous recon → scan → report pipeline; Fabric-style prompt patterns |
| csbx | Plugin manager (Homebrew-tap style); pdtm-compatible install path for Go tools |
| invoke-claude / invoke-ollama | CLI wrappers for both AI providers with uniform flags |
Container (pulls the published image from GHCR):
docker pull ghcr.io/prowlrbot/cybersandbox:latest
docker compose up -d # uses ./docker-compose.yaml in the repo rootIf docker compose fails with docker-credential-desktop.exe not found on WSL, drop the stale credsStore: sed -i 's/"credsStore": "desktop.exe",\?//' ~/.docker/config.json (public images need no auth).
Building from source (contributors, custom mounts, Obsidian vault) uses cybersandbox/docker-compose.dev.yml — see cybersandbox/SETUP.md.
Caido plugins:
prowlr-v0.2.1.zip(this repo) — scope, AI analysis, Obsidian export, guardrails- ShadowShell (hahwul, recommended companion) — multi-tab terminal with split panes, AI-CLI presets (Claude/Gemini/Codex), and
Cmd+Jdrop-down overlay. Prowlr's terminal tab is intentionally minimal; ShadowShell covers the serious terminal workflow.
Install both via Caido → Settings → Plugins → Install from file.
Host CLI:
export ANTHROPIC_API_KEY=sk-ant-…
./harbinger/bin/harbinger status
./harbinger/bin/harbinger hunt example.com
./harbinger/bin/harbinger pattern analyze_vulns < request.txtCyberBox is built to be trusted by a hunter running it against real targets:
- SSRF allowlist on all AI endpoints (
*.anthropic.comhttps only for Claude) - AI output always schema-validated before surfacing
- NemoClaw-style guardrails — 7 prompt-injection patterns filtered from traffic before hitting the LLM, 6 secret classes redacted from AI responses (sk-ant-, AKIA, ghp_*, JWTs, etc.)
- Per-provider AI rate limiter
- No hardcoded values — 15+ settings in the Prowlr UI, env vars for every CLI knob
- Container runs non-root, ports bound to 127.0.0.1, vault mounted read-only
- CI publishes SBOM + provenance attestation
See cybersandbox/SECURITY.md and the hardening log in the changelog.
csbx search xss # community registry
csbx install seclists # big wordlists
csbx install gf-patterns
csbx pdtm subfinder # pdtm-format Go tool install
csbx pdtm github.com/lc/gau/v2/cmd/gau # raw go-install path
csbx listRegistry lives at ProwlrBot/csbx-registry — PRs welcome.
caido-plugin/ Prowlr Caido plugin (TypeScript, IIFE bundle)
cybersandbox/ Dockerfile, compose, SETUP, SECURITY, CHANGELOG
harbinger/ bin/{harbinger,csbx,invoke-claude,invoke-ollama}
patterns/ Fabric-style prompt library
tests/ bash test harness (16 tests)
.github/ CI workflow, issue + PR templates
This project originated as a fork of agent-infra/sandbox. The original README is preserved at UPSTREAM_README.md. All CyberBox-specific code is under the same license as upstream.
Reference sources (patterns extracted, not cloned in bulk):
- projectdiscovery — nuclei/subfinder/httpx/katana + pdtm manifest format
- danielmiessler — SecLists, Fabric prompt patterns
- hahwul — dalfox, Caido plugin patterns, ShadowShell (recommended companion terminal plugin)
- tomnomnom — waybackurls, gau
- wshobson/agents — Claude Code security subagents
- NVIDIA NemoClaw — AI guardrail patterns
Report suspected vulnerabilities privately — see SECURITY.md. Scope, hardening notes, and the disclosure window are in cybersandbox/SECURITY.md.
See LICENSE.