My Claw Shell
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is openly a shell-command runner, but its safety controls are weak and its command handling can execute user input outside the intended tmux session.
Install only if you intentionally want the agent to run local shell commands. Treat it like giving the agent terminal access: review commands first, avoid sensitive directories or secrets, and consider fixing the tmux invocation and safety checks before use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to run damaging or high-impact local commands that the skill does not flag as dangerous.
The tool exposes arbitrary shell-command execution but relies on a narrow substring denylist that does not cover several dangerous operations documented in SKILL.md, such as chmod -R or docker system prune.
function isDangerous(cmd) {
const bad = ["sudo", " rm ", " rm-", "reboot", "shutdown", "mkfs", "dd "];Use only with explicit user-directed commands, add a stronger approval model, and prefer an allowlist or sandbox over a small denylist.
A crafted command can execute locally outside the intended tmux session and potentially bypass the skill's safety check.
The command is interpolated into a shell command after escaping only double quotes. Shell substitutions such as backticks or $() can be evaluated by the wrapper shell before tmux receives the text.
const escaped = cmd.replace(/"/g, '\\"');
execSync(`tmux send-keys -t claw "${escaped}" C-m`);Avoid shell interpolation; call tmux with execFile/spawn argument arrays, escape all shell metacharacters if a shell is unavoidable, and validate commands before execution.
Processes, shell state, and prior output may remain active or visible in the claw tmux session across future uses.
The skill deliberately creates and reuses a tmux session, so commands or processes can persist after a single tool call. This is disclosed and purpose-aligned, but users should notice it.
Attach to tmux session `claw` (create it if missing: `tmux new -s claw -d`).
Manually inspect or close the tmux session when done, and avoid running long-lived or sensitive commands unless you intend them to persist.
The skill may fail or behave unexpectedly on systems without tmux installed.
The metadata does not declare tmux as a required binary even though the handler calls tmux commands. This is a packaging/dependency declaration gap rather than evidence of malicious behavior.
Required binaries (all must exist): none
Declare tmux as a required binary and restrict supported operating systems if needed.