Back to skill
Skillv2.1.0
ClawScan security
Cc · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 25, 2026, 3:56 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's behavior largely matches its description (a tmux relay for the local 'claude' CLI), but there are small mismatches and privacy risks you should be aware of before installing.
- Guidance
- This skill is coherent with its stated purpose (it runs a `claude` process inside tmux and forwards messages), but installing it will: (1) cause the agent to forward all messages in 'relay mode' to your local `claude` CLI (and thus to Anthropic), which can leak sensitive information; (2) create and persist logs under ~/.local/state/cc/logs containing the conversation output; and (3) rely on your local `claude` CLI being configured with an API key (the skill does not declare or manage that key). Before installing: review scripts/cc.sh yourself, ensure you trust the Anthropic/claude CLI configuration, consider whether you want incremental logs written to disk (and rotate/secure them), and be cautious using relay mode with any sensitive data. If you need, I can point out the exact lines in the script that write logs and read optional env vars, or suggest mitigations (disable logging, change log path, require explicit confirmation before entering relay mode).
Review Dimensions
- Purpose & Capability
- okName/description (Claude Code relay via tmux) aligns with the included script and instructions: the skill starts tmux sessions running `claude -c`, sends user messages into the session, and returns incremental output. The declared required binaries (tmux, claude) are appropriate.
- Instruction Scope
- concernRuntime instructions put the agent into a persistent 'relay mode' that forwards ALL user messages to the Claude Code process and instructs the agent to never answer itself. This is consistent with the stated purpose but is high-risk for accidental data leakage: any sensitive user content will be forwarded to the Anthropic endpoint used by the `claude` CLI. The SKILL.md does not explicitly warn that forwarded content is sent to an external service nor describe how the `claude` CLI authenticates (it assumes user has installed/configured it).
- Install Mechanism
- okNo install spec in registry (instruction-only plus bundled script). The SKILL.md recommends `npm i -g @anthropic-ai/claude-code` for the claude CLI, which is reasonable and expected. No remote downloads or extract operations are present in the included files.
- Credentials
- noteThe skill declares no required env credentials (none listed), which is coherent because authentication happens via the locally installed `claude` CLI. However the script reads optional env vars (CLAUDE_RELAY_ROOT, CLAUDE_RELAY_MAP, XDG_* fallbacks) that are not documented in SKILL.md. Also, the skill will cause potentially sensitive conversation content to be written to local logs (~/.local/state/cc/logs) which may persist PII or secrets. Users should be aware the `claude` CLI itself typically needs an API key configured in the environment or config — the skill does not request or manage that key but will cause traffic to flow to that service.
- Persistence & Privilege
- notealways:false (normal). The script creates and writes configuration and state under the user's home directories (~/.config/cc and ~/.local/state/cc) and writes incremental logs. That behavior is expected for a relay but means persistent storage of forwarded content on disk; the skill does not modify other skills or system-wide settings.