v1.0.2

use-claudecode

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:00 AM.

Analysis

This skill is a disclosed Claude Code wrapper, but it deliberately bypasses local permission prompts and gives an agent broad ability to run commands and change files, so it needs careful review before installation.

GuidanceInstall this only if you intentionally want an agent to delegate local coding work to Claude Code with broad file and command authority. Prefer running it in a dedicated project directory, with a sanitized environment and dedicated credentials, and require explicit approval before writes or shell commands. Windows users should avoid enabling it until the PowerShell argument handling is fixed.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

当你（OpenClaw）收到以下类型的用户请求时，必须触发使用此技能 ... 只要涉及文件工程，就立刻调用 `talk_to_claude`

The skill tells the host agent it must or should immediately invoke this high-authority tool for broad file-engineering tasks, which can reduce user-directed control.

User impactAn agent may hand off coding tasks to local Claude Code even when the user did not explicitly approve local command execution.

RecommendationRequire explicit user confirmation before invoking this skill on a project, especially for write operations or command execution.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

__init__.py

"Execute a prompt against the Claude CLI to read, write, fix code, or execute terminal commands." ... cmd.extend(["--permission-mode", "bypassPermissions"])

The tool is explicitly designed for local command execution and file mutation, and the implementation always adds Claude Code's permission-bypass flag.

User impactA mistaken, injected, or overly broad task could modify files or run local commands without Claude Code stopping for permission prompts.

RecommendationRemove `bypassPermissions` by default, restrict allowed project paths, and require user approval before file writes, shell commands, or dependency changes.

Unexpected Code Execution

SeverityHighConfidenceMediumStatusConcern

__init__.py

cmd.append(f'"{message}"') ... ps_cmd = " ".join(cmd) ... subprocess.run(["powershell", "-Command", full_ps_cmd], ...)

On Windows, the caller-controlled `message` is concatenated into a PowerShell command string. PowerShell syntax in the message could be interpreted before it reaches Claude.

User impactOn Windows, malicious or untrusted prompt text could trigger direct PowerShell command execution with the user's privileges.

RecommendationDo not build a PowerShell command string from user-controlled text; pass arguments directly without a shell or apply robust PowerShell escaping.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

__init__.py

if shutil.which("claude") is None: ... "npm install -g @anthropic-ai/claude-code"

The skill depends on an external global CLI/npm package, while the registry requirements and install spec do not declare or provision it.

User impactUsers must separately ensure the installed `claude` binary is the official, trusted Claude Code CLI.

RecommendationInstall Claude Code only from the official source and consider declaring the binary dependency in the skill metadata.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusNote

__init__.py

cmd = ["claude"] ... env = os.environ.copy() ... subprocess.run(... env=env ...)

The local Claude CLI runs under the current user's environment and likely uses that user's existing CLI account/session; the skill does not declare a separate credential boundary.

User impactThe delegated Claude Code process may have access to the user's local environment variables, CLI authentication, and account-level authority.

RecommendationUse a dedicated account or sanitized environment for this skill, and avoid running it in shells that contain unrelated secrets.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

__init__.py

def talk_to_claude(... is_new_session: bool = False, ...) ... if not is_new_session: cmd.append("--continue")

The default behavior continues a prior Claude Code session, so earlier context can influence later tool calls unless `is_new_session` is set.

User impactOld prompts, project context, or instructions may carry into later tasks and affect what the delegated Claude Code process does.

RecommendationUse `is_new_session=True` for unrelated tasks and clear Claude Code sessions when switching projects or trust boundaries.