ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill

v1.0.1

Dispatch coding tasks to tmux sessions via Sandboxer. Use when you need to spawn Claude Code, Gemini, OpenCode, bash, or lazygit sessions in workspace repos, monitor their progress, or send them commands.

0· 762·2 current·2 all-time
by@chriopter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (dispatch tasks to tmux sessions / Sandboxer) align with the API endpoints and workspace operations described in SKILL.md. Access to workspace repos, tmux sessions, and commit APIs is consistent with the stated purpose.
!
Instruction Scope
SKILL.md instructs agents to read/write files under /root/workspaces, spawn and control shells (send keystrokes), capture full terminal output, and auto‑commit changes. Those actions go far beyond simple metadata queries: they allow arbitrary command execution and reading/writing repository contents. The doc also documents a POST create with notify_url (external callback) which could be used to exfiltrate data.
Install Mechanism
Instruction-only skill with no install spec or code files. That reduces risk from hidden installers or downloaded artifacts; nothing will be written/installed by the skill package itself.
!
Credentials
The skill declares no env vars or credentials, but the instructions presume an unauthenticated Sandboxer service on localhost:8081 and a workspace rooted at /root/workspaces (explicitly intended for agents running as root). Lack of any authentication requirement in the instructions is a notable security omission for a service that exposes powerful filesystem and command capabilities.
!
Persistence & Privilege
always:false (good), but the platform default allows autonomous invocation. Combined with the skill's ability to run arbitrary commands, read/write files under /root, capture terminal output, and trigger external notify_url callbacks, autonomous invocation increases risk. The skill does not request persistent installation, but its runtime privileges are high.
What to consider before installing
This skill is coherent with its stated goal (controlling tmux sessions and repo workspaces), but it requires trusting a high‑privilege, unauthenticated local service that can run commands and read/write files under /root. Only install/use on a dedicated, fully isolated machine you control. Before enabling: verify the actual Sandboxer server implementation (source code, auth options), restrict access to localhost and firewall outbound callbacks, avoid running as root if possible, limit agent autonomy, and do not use it on shared or production hosts. The notify_url feature can leak session output to external endpoints — treat it as a potential exfiltration vector unless you control the callback endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk97chv9wz766g51cstxvz9tvy5811rf7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments