Back to skill
Skillv1.1.1
ClawScan security
Ask Claude · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 14, 2026, 2:12 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated goal (wrap the Claude Code CLI and keep workdir-local sessions) is plausible, but several instruction-level and trust-related inconsistencies suggest you should inspect the environment and wrapper script before using it.
- Guidance
- Do not install blindly. Before using: (1) inspect the run-claude.sh wrapper and the 'claude' binary (origin, version, what network calls it makes); (2) test in an isolated sandbox or container; (3) avoid pointing the workdir at any sensitive files (SSH keys, AWS creds, ~/.config); (4) ask the author why --permission-mode bypassPermissions is required and remove it if unnecessary; (5) if you must use it, create a disposable user/home or ephemeral VM to limit persistent session storage in ~/.claude/projects/.
Review Dimensions
- Purpose & Capability
- noteName/description match the declared requirement for a 'claude' binary. However the SKILL.md is tightly tied to a specific user's paths (/home/xmanel/...) and references a wrapper script run-claude.sh that is not provided, which reduces portability and raises questions about what that script does.
- Instruction Scope
- concernInstructions assert 'workspace-only' operation but also state sessions are stored in ~/.claude/projects/ (outside the chosen workdir). The direct commands use --permission-mode bypassPermissions and unset CLAUDECODE, both of which change runtime behavior and could allow broader file/network access. The skill also claims 'never send data to external servers' despite invoking an external CLI that typically communicates with a service; that claim is not enforceable from the instructions alone.
- Install Mechanism
- okInstruction-only skill with no install spec or downloaded artifacts—this lowers installation risk. The main risk is what the required 'claude' binary and the referenced run-claude.sh wrapper actually do, which are not included.
- Credentials
- concernNo environment variables are declared, yet the SKILL.md manipulates the environment (env -u CLAUDECODE) and relies on a CLI that likely reads credentials/config from ~/.config or env vars. The skill explicitly promises not to touch ~/.ssh, ~/.aws, or ~/.config, but the CLI or session storage could still read those locations unless you verify otherwise.
- Persistence & Privilege
- concernSkill supports persistent sessions stored in ~/.claude/projects/, which persists conversation state outside the specified workdir and could retain data across runs. The use of --permission-mode bypassPermissions suggests the CLI may operate with relaxed permission checks, increasing blast radius if the wrapper or CLI are compromised.