critical
suspicious.dangerous_exec
- Location
- handler.js:5
- Finding
- Shell command execution detected (child_process).
My Claw Shell
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
The agent may be able to run damaging or high-impact local commands that the skill does not flag as dangerous.
Why it was flagged
The tool exposes arbitrary shell-command execution but relies on a narrow substring denylist that does not cover several dangerous operations documented in SKILL.md, such as chmod -R or docker system prune.
Skill content
function isDangerous(cmd) {
const bad = ["sudo", " rm ", " rm-", "reboot", "shutdown", "mkfs", "dd "];Recommendation
Use only with explicit user-directed commands, add a stronger approval model, and prefer an allowlist or sandbox over a small denylist.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A crafted command can execute locally outside the intended tmux session and potentially bypass the skill's safety check.
Why it was flagged
The command is interpolated into a shell command after escaping only double quotes. Shell substitutions such as backticks or $() can be evaluated by the wrapper shell before tmux receives the text.
Skill content
const escaped = cmd.replace(/"/g, '\\"');
execSync(`tmux send-keys -t claw "${escaped}" C-m`);Recommendation
Avoid shell interpolation; call tmux with execFile/spawn argument arrays, escape all shell metacharacters if a shell is unavoidable, and validate commands before execution.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
Processes, shell state, and prior output may remain active or visible in the claw tmux session across future uses.
Why it was flagged
The skill deliberately creates and reuses a tmux session, so commands or processes can persist after a single tool call. This is disclosed and purpose-aligned, but users should notice it.
Skill content
Attach to tmux session `claw` (create it if missing: `tmux new -s claw -d`).
Recommendation
Manually inspect or close the tmux session when done, and avoid running long-lived or sensitive commands unless you intend them to persist.
NoteHigh Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
The skill may fail or behave unexpectedly on systems without tmux installed.
Why it was flagged
The metadata does not declare tmux as a required binary even though the handler calls tmux commands. This is a packaging/dependency declaration gap rather than evidence of malicious behavior.
Skill content
Required binaries (all must exist): none
Recommendation
Declare tmux as a required binary and restrict supported operating systems if needed.