My Claw Shell

Security checks across malware telemetry and agentic risk

Overview

This skill openly gives the agent a local tmux-backed shell, but the access is broad and its safety checks are too limited to rely on.

Install only if you intentionally want the agent to have terminal access under your local user account. Use it in a disposable workspace, VM, or container when possible; review every command before use; avoid secrets in the tmux session; and do not rely on the built-in dangerous-command check as a meaningful safety boundary.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (2)

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill accepts an arbitrary string from input.command and forwards it into a tmux shell session, enabling broad shell command execution with the privileges of the hosting process. The only protection is a narrow denylist of substrings, which is trivial to bypass and does not materially reduce the risk of destructive commands, data exfiltration, persistence, or lateral movement.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The code suggests dangerous commands are gated, but in reality it only checks for a few keywords such as sudo, rm, reboot, and dd, while executing everything else directly. This creates a false sense of safety because many harmful commands and simple evasions remain possible, including file deletion variants, shell metacharacter abuse, data theft, process spawning, and network retrieval/execution.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal