Clawclau
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent background Claude Code scheduler, but it runs Claude Code with permission checks disabled and contains shell-command construction that could execute unintended commands.
Install only if you specifically need unattended Claude Code jobs and can run them in a sandboxed workdir. Fix the tmux shell-quoting issue first, avoid sensitive prompts, use short timeouts, and review/clean ~/.clawclau logs and notification settings.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed workdir/model argument could make the spawn command run extra shell commands on the user's machine.
User-controlled workdir and model values are placed into a shell command string without escaping, so crafted paths or model names containing shell metacharacters could cause unintended local command execution.
WORKDIR="${3:-$(pwd)}" ... --model) MODEL="$2" ... tmux new-session ... "bash -l $WRAPPER_FILE $PROMPT_FILE $WORKDIR $LOG_FILE ${MODEL:-}"Patch before use: validate model names, reject shell metacharacters in workdirs, and pass arguments to tmux/wrapper scripts using safe quoting or shell-escaped values rather than interpolated command strings.
A spawned task may read or modify project files and run Claude Code tools without per-action approval while the user is not watching.
Both print and steerable modes run Claude Code with permission prompts disabled, which is a broad tool-execution capability for background tasks.
exec claude -p --dangerously-skip-permissions ... --output-format stream-json ...
exec claude --dangerously-skip-permissions "${MODEL_FLAG[@]}"Do not use this against sensitive directories unless sandboxed. Prefer removing --dangerously-skip-permissions by default, require explicit user confirmation for each spawn, and restrict allowed workdirs.
Tasks and monitors may keep running after the command returns, consuming resources or continuing work until timeout/completion/kill.
The skill intentionally creates detached background monitors that survive the initial spawn process.
双重 fork 脱离进程树:后台完成检测器通过 `((...) &) & disown` 模式被 launchd 接管,不受 spawn 进程退出影响
Use short timeouts, periodically run the check command, and use the kill command for tasks you no longer want. Avoid adding the cron monitor unless you need it.
Task output snippets may appear in a configured chat or OpenClaw event stream, which can expose sensitive code or prompt content if tasks handle private data.
Notifications are forwarded to Feishu or OpenClaw system events; other scripts pass progress and completion summaries into this function.
openclaw message send --channel feishu --target "$chat" --message "$text" ... openclaw system event --text "$text" --mode now
Only configure trusted notification targets, consider disabling progress reports with --interval 0 for sensitive work, and avoid including secrets in prompts or outputs.
Prompts, task outputs, and steering messages may remain on disk under ~/.clawclau after tasks finish.
The local task registry records full prompts, log paths, and steer messages for later status/result retrieval.
"prompt": "完整 prompt", ... "log": "日志文件路径", ... "steerLog": []
Treat ~/.clawclau as sensitive local state, review its file permissions, and periodically delete logs/prompts that contain private information.