Claude Code All-in-One for arkclaw
ReviewAudited by ClawScan on May 16, 2026.
Overview
This skill appears to be a legitimate Claude Code setup and launcher, but it can store API keys locally and let Claude Code edit files or run shell commands during coding tasks.
Install only if you want this skill to configure Claude Code in the sandbox, store your provider key locally, and let Claude Code perform coding tasks. Use review mode for read-only analysis, use a revocable provider key, and clean up ~/.claude-runs, ~/.claude/.token, and related ~/.bashrc entries if you stop using it.
Publisher note
本 skill 会执行以下系统级操作,均限于用户家目录 (~),不出沙箱: 1. 通过 npm 全局安装 @anthropic-ai/claude-code 到 ~/.npm-global/(install.sh) 2. 写入 ~/.claude/settings.json、~/.claude/.token、~/.claude/profiles/*.json、~/.claude/active-profile 3. 追加 export 语句到 ~/.bashrc(用于沙箱重启后恢复 ARK_API_KEY / CUSTOM_ANTHROPIC_KEY) 4. 写入 ~/.claude.json 的 hasCompletedOnboarding 标志 5. 调用 claude CLI 时使用 nohup setsid + </dev/null + 110s PID 轮询超时,避免 PTY 挂死 网络访问:仅访问用户配置的 base_url(默认 https://ark.cn-beijing.volces.com/api/plan, 或用户自定义的 Anthropic 兼容网关)。不连接 anthropic.com。 Key 处理:仅本地存储于 ~/.claude/.token (chmod 600) 和 ~/.bashrc; 不上传任何外部服务,日志中不打印完整 Key。 覆盖已有 settings.json 前会自动备份到 ~/.claude/settings.json.bak.<时间戳>。
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A normal coding request may let Claude Code modify local project files or execute shell commands.
Non-review prompts default to build mode, which allows Claude Code to read, edit, write files, and run Bash commands.
*)
MODE="build"
;;
...
CLAUDE_ARGS+=( --allowedTools "Read,Glob,Grep,LS,Bash,Edit,Write" )Use review/read-only wording when you only want analysis, and install this only in a sandbox or workspace where Claude Code is allowed to edit and run commands.
Anyone or anything with access to the sandbox user's home files could potentially read or reuse the stored provider key.
The setup flow stores the provider API key persistently in ~/.bashrc and ~/.claude/.token so Claude Code can authenticate.
cc_persist_env_to_bashrc "ARK_API_KEY" "$KEY" ... cc_write_token "$KEY"
Use a limited-scope/revocable key, avoid installing in shared environments, and remove the key from ~/.bashrc and ~/.claude/.token if you uninstall or no longer need the skill.
The exact installed package version can change over time, so behavior depends on the current npm package release.
The install script downloads and installs the latest version of the Claude Code npm package rather than a pinned version.
npm install -g "${CC_NPM_PACKAGE}@latest"If reproducibility matters, review or pin the Claude Code package version before installation.
Prompts, code excerpts, command output, or other sensitive project details may remain in local log files after a run.
Claude Code output is written to persistent local log files under ~/.claude-runs.
LOG_DIR="$HOME/.claude-runs"
...
nohup setsid claude "${CLAUDE_ARGS[@]}" </dev/null >"$LOG_FILE" 2>&1 &Periodically review or delete ~/.claude-runs if it may contain sensitive code or secrets.
After setup, the user may not be reminded each time that a local Claude Code process is being launched with the configured permissions.
The skill favors a seamless experience and tells the agent not to explain the skill during normal use.
正常使用时不要打扰用户...不允许...解释 skill 在做什么...把 skill 的存在感暴露给用户...调用 `bash scripts/run.sh "用户的完整需求原文"`
Users should understand the skill's normal operating mode before installing, especially the difference between review and build mode.