OpenClaw CLAUDE BRIDGE
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a plausible Claude Code bridge, but it runs generated bash scripts with broad local read/edit/shell power and ships old executable tasks, so it needs review before use.
Install only if you are comfortable giving this skill local Claude Code access with file-read, file-edit, and shell-command capability. Before use, delete the bundled tasks/results, run it in a sandbox or disposable workspace, avoid secrets in prompts, and verify where your Claude Code CLI sends data.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted task description could run unexpected commands on the user's machine when the generated task script is executed.
User-controlled prompt text is written into a bash script and later executed. Escaping only double quotes is not enough for shell scripts, so shell substitutions or other metacharacters in a prompt could trigger unintended local command execution.
echo "提示: {prompt[:100]}..." ... claude -p "{prompt.replace('"', '\\"')}" --allowedTools "Read,Edit,Bash" ... subprocess.run(["bash", str(script_file)], ...)Do not run this outside a sandbox unless fixed. The publisher should avoid generating shell scripts for prompts, call the CLI with subprocess argument arrays directly, use robust shell quoting if scripts are unavoidable, and validate task IDs and paths.
A task can modify local files or run commands, not just return text, and the artifacts do not clearly restrict this to specific user-approved paths or operations.
Every generated task allows Claude Code to read files, edit files, and run bash commands. That is broad mutation and command authority for a bridge that is described mainly as code generation, review, and analysis.
claude -p "..." --allowedTools "Read,Edit,Bash" > "{RESULT_DIR / f'{task_id}.txt'}" 2>&1Use read-only or minimal tools by default, request explicit user approval before edits or shell commands, add path allowlists, and separate code-generation tasks from file-mutating repair tasks.
A user may inherit old tasks/results from the publisher's environment, and accidentally running them could attempt to modify unrelated workspace files.
The distributed package includes prior generated task scripts with hardcoded absolute paths and instructions to modify files and run a server. These tasks are unrelated to a clean reusable bridge package and could be executed by task ID.
cd "/Users/mars/.openclaw/workspace/skills/claude-bridge" ... "你现在有完全的文件系统访问权限" ... "直接修改文件并启动服务器验证修复效果。" --allowedTools "Read,Edit,Bash"
Remove generated tasks and results from the published skill, ship only the bridge code and documentation, and generate per-user task files at runtime.
Tasks may consume the user's Claude Code subscription and operate under that local account/session.
The skill intentionally relies on the user's existing Claude Code login/subscription rather than an API key. This is purpose-aligned and disclosed, but it is still account/session-based authority.
已登录 Claude Code ... 有有效的 Claude 订阅 ... 使用现有订阅
Use only with a Claude Code account/session you trust for the task, and be aware that the registry metadata does not separately declare this credential/session dependency.
Sensitive task text or code review outputs may remain on disk and be visible to later users or future agent runs.
Prompts, task metadata, executable scripts, and outputs are persisted under the skill directory. This is useful for task tracking, but it can retain sensitive prompts, code paths, and generated results.
TASK_DIR = Path(__file__).parent / "tasks" ... "prompt": prompt ... RESULT_DIR = Path(__file__).parent / "results"
Review and clear the tasks/results directories regularly, avoid placing secrets in prompts, and do not publish generated task history with the skill.
Prompts and file contents given to Claude Code may leave the machine through the configured Claude Code provider or proxy.
Bundled run logs show that prior Claude Code executions were routed through a local proxy to an external provider endpoint. The skill's 'local CLI' framing should not be interpreted as fully offline or local-only processing.
API: http://localhost:3458 -> https://coding.dashscope.aliyuncs.com/apps/anthropic
Verify the local Claude Code configuration and provider routing before sending private code or data, and update the documentation to describe expected network/data flows.