Security audit

Clawclau

Security checks across malware telemetry and agentic risk

Overview

This is a real background Claude task runner, but it runs unattended Claude sessions with permission safeguards disabled and can persist or forward task content.

Review before installing. Use only in isolated workspaces, avoid secrets in prompts, consider --interval 0 and no Feishu chat for sensitive tasks, regularly clean ~/.clawclau, and patch or constrain the launcher before trusting it with untrusted paths, model values, or high-impact repositories.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (14)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill clearly exposes shell-capable operations such as installing packages, creating files under ~/.clawclau, exporting environment variables, and invoking task-management scripts, yet no explicit permissions are declared. This creates a trust and review gap: a user or host system may underestimate that the skill can execute commands, modify local state, and manage background processes.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The design explicitly documents a steerable mode that runs Claude with `--dangerously-skip-permissions`, which disables normal permission safeguards for an interactive agent process. In the context of an asynchronous task dispatcher that can run unattended in tmux, this materially increases the risk of unauthorized file access, command execution, or other harmful actions if prompts are unsafe, hijacked, or misused.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script invokes Claude with `--dangerously-skip-permissions` in both non-interactive and steerable modes, explicitly disabling permission safeguards for an automated background task runner. Because prompts and workdirs are user-controlled, this can let model-directed actions execute with broader filesystem or shell access than users may realize, making prompt injection or mistaken tasking substantially more dangerous in this scheduler context.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger description is broad and ambiguous, including natural-language phrases like dispatching tasks, checking background status, terminating tasks, and batch dispatch. Overbroad triggers can cause the skill to activate in situations the user did not clearly intend, increasing the chance of unintended shell execution, task creation, or task termination.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation states that the skill writes prompts, logs, task registries, and configuration files locally and can terminate background tasks, but it does not present an explicit user-facing warning. Because prompts and results may contain sensitive data, silent persistence and task-control capabilities can expose private information or disrupt existing work without informed consent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill advertises automatic completion notifications and periodic monitoring via cron without clearly warning that task status information may be sent externally and that background monitoring can continue after the initiating interaction ends. This is riskier in context because the tool is specifically designed for asynchronous task orchestration, so users may unintentionally enable persistent execution and metadata leakage.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The notification mechanism sends task-related messages directly to Feishu or via system events without any warning, consent flow, or guidance about what content may be transmitted externally. Because this skill handles background Claude tasks and progress reporting, notifications can easily include sensitive prompts, outputs, filenames, or operational context, creating a real data leakage risk.

Missing User Warnings

Low

Confidence: 73% confidence
Finding: The document describes storing and reading a Feishu chat identifier from config or environment variables without warning that destination identifiers and associated metadata may themselves be sensitive. While a chat ID alone is not usually critical, exposing or mishandling it can reveal internal communication structure and increases the chance of misrouting notifications to unintended recipients.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script uses a dangerous permission-bypass mode but the user-facing output only reports task/session details and does not prominently disclose that Claude is being launched without normal permission checks. In a task-dispatch skill, that missing transparency increases the chance operators will submit sensitive or high-impact jobs without understanding the trust boundary change.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The full prompt is written to `$PROMPT_FILE`, and later the task registry stores `prompt: $prompt`, creating at-rest copies of potentially sensitive user instructions or embedded secrets. In this orchestration tool, prompts may contain credentials, proprietary code requests, or incident data, so silent persistence materially increases confidentiality risk.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: On completion, the script extracts text from the log and sends a summary through `cc_notify`, which may transmit model output snippets to another channel or service without explicit disclosure or filtering. If logs contain secrets, source code, credentials, or incident details, the notification path becomes an additional exfiltration surface.

Ssd 3

Medium

Confidence: 91% confidence
Finding: This code retains task logs and relays extracted snippets in plain-language completion notifications, increasing the number of locations where sensitive task content is stored or exposed. In an async scheduler, users may not be present when this happens, so accidental disclosure risk is amplified by automation and background execution.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The periodic progress reporter continuously extracts snippets from live logs and forwards them via notifications, potentially leaking partial prompts, generated content, or secrets multiple times during a task's lifetime. Repeated automated disclosure broadens exposure and can reveal information even if the final result is later cleaned up or redacted.

Session Persistence

Medium

Category: Rogue Agent
Content: brew install tmux jq && which claude # 初始化 mkdir -p ~/.clawclau/logs ~/.clawclau/prompts # 配置通知（可选） echo "notify_chat = oc_xxxxxxxx" >> ~/.clawclau/config
Confidence: 86% confidence
Finding: mkdir -p ~/.clawclau/logs ~/.clawclau/prompts # 配置通知（可选） echo "notify_chat = oc_xxxxxxxx" >> ~/.clawclau/config # shell profile（可选） export CC_SCRIPTS=~/.openclaw/workspace/skills/clawclau/scripts ``

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.