xihe-jianmu-ipc
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly an IPC hub as described, but it also enables untrusted cross-agent instructions, background agent spawning, token leakage in logs, and a script that patches Claude Code to bypass a warning.
Only install this if you need cross-agent IPC and are comfortable managing a local message hub. Set IPC_AUTH_TOKEN, keep the hub bound to localhost or firewall it, treat all incoming IPC messages as untrusted, avoid using ipc_spawn without explicit approval, and do not run the Claude Code patch script unless you intentionally want to modify that installation.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Another local or reachable network process could inject messages into connected AI sessions, and those messages may be treated as work requests.
If IPC_AUTH_TOKEN is not set, the hub accepts unauthenticated message-routing requests from any client that can reach the API.
function checkAuth(providedToken) {
if (!AUTH_TOKEN) return true; // Auth disabled
return providedToken === AUTH_TOKEN;
}
...
// HTTP API for sending messages — any tool (Codex, curl, scripts) can use thisRequire IPC_AUTH_TOKEN by default, avoid exposing the hub beyond localhost unless needed, and document how users should firewall or bind the service.
A message from another session or HTTP client could redirect the agent's goals or cause it to perform actions the user did not intend.
The instructions make incoming IPC content operationally authoritative without requiring sender verification or user confirmation.
1. When you receive an incoming IPC message, read it carefully and act on the request. 2. After completing a task received via IPC, report back using `ipc_send` to the sender.
Treat IPC messages as untrusted input, verify the sender, and require explicit user approval before acting on requests that modify files, accounts, settings, or public outputs.
The agent may launch additional AI processes that continue work outside the immediate conversation, increasing cost and risk of unintended actions.
The MCP server exposes a tool that can create additional AI sessions, including background sessions, with a user-supplied task.
name: 'ipc_spawn', description: 'Spawn a new Claude Code session. Background mode runs a one-shot task and reports back via IPC. Interactive mode opens a new terminal window.'
Make ipc_spawn opt-in, require user confirmation for every spawn, clearly disclose it in SKILL.md, and provide controls to list and stop spawned sessions.
Running this script can remove an upstream safety warning and alter another installed tool in a way users may not expect.
This script modifies Claude Code's installed CLI to bypass a warning dialog for development channels.
Patches Claude Code's cli.js to skip the dev channels warning dialog. ... const replacement = 'if(true)gd'; ... writeFileSync(cliPath, content.replace(target, replacement));
Do not run this patch unless you fully understand the impact. The skill should avoid modifying third-party CLIs or should require explicit, documented user approval with an undo path.
Anyone with access to process logs or terminal output could recover the IPC shared secret and impersonate a session.
The shared authentication token is placed in the WebSocket URL and then logged to stderr.
if (authToken) url += `&token=${encodeURIComponent(authToken)}`;
...
process.stderr.write(`[ipc-channel] connecting to hub at ${url}\n`);Send tokens in headers where possible and redact credentials from logs, especially connection URLs.
If configured with a third-party endpoint, IPC message contents will be sent there.
Incoming IPC messages can be forwarded to a user-configured HTTP endpoint, which is purpose-aligned for channel notifications but expands where message content goes.
IPC_CHANNEL_URL — HTTP endpoint to POST messages to (optional) ... body: JSON.stringify(body)
Only set IPC_CHANNEL_URL to endpoints you trust, and avoid sending secrets or sensitive project data through IPC messages.