Boxed Curl Skill
Run curl-like HTTP requests safely within a WASM sandbox with network access control.
Triggering Method
Use this skill when the user says:
- - "boxed curl", "boxed curl"
- "Sandbox version of curl", "Sandbox curl", "Secure curl"
- "Make a request using boxed-curl", "Help me with boxed-curl"
- "Send a secure HTTP request", "Secure GET/POST request"
- "沙箱版 curl"、"沙箱 curl"、"安全的 curl"
- "用 boxed-curl 请求"、"帮我 boxed-curl"
- "发一个安全的 HTTP 请求"、"安全的 GET/POST 请求"
⚠️ Required Plugin
This skill requires the openclaw-wasm-sandbox plugin version >= 0.2.0.
The wasm-sandbox-download tool was added in version 0.2.0. If the plugin is not installed or version is lower:
CODEBLOCK0
Verify the version:
�CODEBLOCK1
Look for Version: 0.2.0 or higher in the output.
⚠️ WASM File Required
This skill requires the WASM component file to be downloaded first.
If the WASM file does not exist locally, use the wasm-sandbox-download tool to download it:
Step 0: Download WASM File
CODEBLOCK2
Important: Set resume: false for initial download. The download destination is github.com which supports resume.
Tool: wasm-sandbox-run
Use the wasm-sandbox-run tool to execute the WASM component after the WASM file is available.
How It Works
- 1. Check for WASM file — If not found, download using �INLINECODE8
- User provides curl-like arguments (URL with optional options)
- AI extracts the URL and any curl options
- AI determines
allowedOutboundHosts based on the target host - AI calls
wasm-sandbox-run with the arguments and network permissions
Supported Features
| Option | Description | Status |
|---|
| INLINECODE11 | HTTP method (GET, POST, PUT, DELETE, etc.) | ✅ |
| INLINECODE12 |
Add request header | ✅ |
|
-d, --data DATA | Request body data | ✅ |
|
-i, --include | Include response headers | ✅ |
|
-L, --location | Follow redirects | ✅ |
|
-v, --verbose | Verbose output | ✅ |
|
-o, --output FILE | Output to file | ⚠️ Not supported |
Usage Pattern
Step 1: Extract Arguments
Parse the user's input:
- - URL — the target endpoint
- curl options —
-X, -H, -d, etc. allowedOutboundHosts — if user explicitly provided it
Step 2: Determine Network Access
If user did NOT specify allowedOutboundHosts, infer from URL:
| URL Pattern | INLINECODE23 |
|---|
| INLINECODE24 | INLINECODE25 |
| INLINECODE26 |
https://httpbin.org |
|
https://raw.githubusercontent.com/* |
https://raw.githubusercontent.com |
| Any HTTPS URL |
https://<host> (extract host from URL) |
Step 3: Call wasm-sandbox-run
CODEBLOCK3
Examples
GET Request
User says: "fetch data from https://httpbin.org/get"
CODEBLOCK4
POST with JSON Body
User says: �INLINECODE31
CODEBLOCK5
GET with Headers
User says: "fetch with custom Authorization header"
CODEBLOCK6
GitHub API Request
User says: "get GitHub user info for 'octocat'"
CODEBLOCK7
GET with Response Headers
User says: "fetch with -i flag to see response headers"
CODEBLOCK8
Important Notes
- - Always set
allowedOutboundHosts — sandbox blocks all outbound HTTP by default - Download WASM first if missing — use
wasm-sandbox-download tool - Extract host from URL automatically when user doesn't specify
- Use
/post endpoint for POST — /get returns 405 Method Not Allowed - args order: curl options first, URL last
- JSON in -d: escape quotes properly (e.g.,
{\"key\":\"value\"})
Boxed Curl 技能
在具有网络访问控制的 WASM 沙箱中安全地运行类似 curl 的 HTTP 请求。
触发方式
当用户说出以下内容时使用此技能:
- - boxed curl、boxed curl
- 沙箱版 curl、沙箱 curl、安全的 curl
- 用 boxed-curl 请求、帮我 boxed-curl
- 发一个安全的 HTTP 请求、安全的 GET/POST 请求
⚠️ 必需插件
此技能需要 openclaw-wasm-sandbox 插件版本 >= 0.2.0。
wasm-sandbox-download 工具在 0.2.0 版本中添加。如果插件未安装或版本较低:
bash
openclaw plugins install clawhub:openclaw-wasm-sandbox
openclaw plugins update openclaw-wasm-sandbox
openclaw gateway restart
验证版本:
bash
openclaw plugins inspect openclaw-wasm-sandbox
在输出中查找 Version: 0.2.0 或更高版本。
⚠️ 需要 WASM 文件
此技能需要先下载 WASM 组件文件。
如果本地不存在 WASM 文件,请使用 wasm-sandbox-download 工具下载:
步骤 0:下载 WASM 文件
javascript
wasm-sandbox-download({
url: https://raw.githubusercontent.com/guyoung/wasm-sandbox-openclaw-skills/main/boxed-curl/files/boxedcurlcomponent.wasm,
output: dir>/files/boxedcurl_component.wasm,
resume: false,
timeout: 60000
})
重要提示: 首次下载时设置 resume: false。下载目标为 github.com,支持断点续传。
工具:wasm-sandbox-run
在 WASM 文件可用后,使用 wasm-sandbox-run 工具执行 WASM 组件。
工作原理
- 1. 检查 WASM 文件 — 如果未找到,使用 wasm-sandbox-download 下载
- 用户提供类似 curl 的参数(URL 及可选选项)
- AI 提取 URL 和任何 curl 选项
- AI 根据目标主机确定 allowedOutboundHosts
- AI 使用参数和网络权限调用 wasm-sandbox-run
支持的功能
| 选项 | 描述 | 状态 |
|---|
| -X, --request METHOD | HTTP 方法(GET、POST、PUT、DELETE 等) | ✅ |
| -H, --header HEADER |
添加请求头 | ✅ |
| -d, --data DATA | 请求体数据 | ✅ |
| -i, --include | 包含响应头 | ✅ |
| -L, --location | 跟随重定向 | ✅ |
| -v, --verbose | 详细输出 | ✅ |
| -o, --output FILE | 输出到文件 | ⚠️ 不支持 |
使用模式
步骤 1:提取参数
解析用户输入:
- - URL — 目标端点
- curl 选项 — -X、-H、-d 等
- allowedOutboundHosts — 如果用户明确提供
步骤 2:确定网络访问权限
如果用户未指定 allowedOutboundHosts,从 URL 推断:
| URL 模式 | allowedOutboundHosts |
|---|
| https://api.github.com/ | https://api.github.com |
| https://httpbin.org/ |
https://httpbin.org |
| https://raw.githubusercontent.com/* | https://raw.githubusercontent.com |
| 任何 HTTPS URL | https://
(从 URL 提取主机) |
步骤 3:调用 wasm-sandbox-run
javascript
wasm-sandbox-run({
wasmFile: dir>/files/boxedcurl_component.wasm,
allowedOutboundHosts: [https://],
args: [, ]
})
示例
GET 请求
用户说:从 https://httpbin.org/get 获取数据
javascript
wasm-sandbox-run({
wasmFile: dir>/files/boxedcurl_component.wasm,
allowedOutboundHosts: [https://httpbin.org],
args: [https://httpbin.org/get]
})
带 JSON 体的 POST 请求
用户说:curl -X POST https://httpbin.org/post -H Content-Type: application/json -d {name:value}
javascript
wasm-sandbox-run({
wasmFile: dir>/files/boxedcurl_component.wasm,
allowedOutboundHosts: [https://httpbin.org],
args: [-X, POST, -H, Content-Type:application/json, -d, {\name\:\value\}, https://httpbin.org/post]
})
带请求头的 GET 请求
用户说:使用自定义 Authorization 头获取数据
javascript
wasm-sandbox-run({
wasmFile: dir>/files/boxedcurl_component.wasm,
allowedOutboundHosts: [https://httpbin.org],
args: [-H, Authorization:Bearer token123, https://httpbin.org/get]
})
GitHub API 请求
用户说:获取 octocat 的 GitHub 用户信息
javascript
wasm-sandbox-run({
wasmFile: dir>/files/boxedcurl_component.wasm,
allowedOutboundHosts: [https://api.github.com],
args: [https://api.github.com/users/octocat]
})
带响应头的 GET 请求
用户说:使用 -i 标志获取响应头
javascript
wasm-sandbox-run({
wasmFile: dir>/files/boxedcurl_component.wasm,
allowedOutboundHosts: [https://httpbin.org],
args: [-i, https://httpbin.org/get]
})
重要说明
- - 始终设置 allowedOutboundHosts — 沙箱默认阻止所有出站 HTTP
- 如果缺少 WASM 文件,先下载 — 使用 wasm-sandbox-download 工具
- 自动从 URL 提取主机 — 当用户未指定时
- POST 请求使用 /post 端点 — /get 返回 405 Method Not Allowed
- 参数顺序:curl 选项在前,URL 在后
- -d 中的 JSON:正确转义引号(例如 {\key\:\value\})
