ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

fast-claude-code

v1.0.5

Claude Code 任务完成回调 Runtime。支持 Single / Interactive / Team 三种模式, ⚠️ 任务在后台 tmux 会话中运行,完成后通过 System Event 自动通知,无需轮询。 Use when: 需要运行 Claude Code 任务并在完成时获得通知。 NOT...

1· 268·0 current·0 all-time
by@deadlining
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the implementation: scripts start Claude in tmux, monitor for a completion marker, and trigger callbacks. Required binaries (bash, claude, tmux) match the stated purpose. Minor inconsistency: SKILL.md metadata lists jq as optional but team.sh exits if jq is not present (team mode effectively requires jq).
!
Instruction Scope
The runtime instructions and scripts do more than just 'start Claude and notify': team mode writes .claude/hooks/on-stop.sh into the project, updates .claude/settings.json, captures tmux output, enumerates (and reports) up to 20 files from the project tree, and then triggers callbacks. Interactive modes force a persistent protocol that tells Claude to always emit CC_CALLBACK_DONE after every response. The scripts also attempt to auto-accept dangerous permission prompts by sending keystrokes into the tmux session. These behaviors expand the skill's access (file system, modifying repo metadata/hooks, automated permission bypass) beyond a minimal 'run-and-notify' surface and are worthy of caution.
Install Mechanism
No external download/install mechanism is used (instruction-only with bundled scripts). That reduces supply-chain risk. The skill does write files into the user's project directory at runtime (hooks and settings in .claude), which is expected for the feature but remains a write-to-disk action the user should be aware of.
!
Credentials
The skill does not declare required env vars, but it expects/uses several external endpoints and values: a required --session-key argument (OpenClaw gateway session key) and optional CC_WEBHOOK_URL / NTFY server for callbacks. Callbacks (openclaw/webhook/ntfy) cause data to be sent off-host; webhook.sh will POST JSON to whatever WEBHOOK_URL is provided (via arg or CC_WEBHOOK_URL). The on-stop hook aggregates and sends a project file listing (and could be extended to include content) to the configured callback—this is proportionate for a 'callback' tool but introduces exfiltration risk if the callback endpoint is untrusted. Also the code encourages setting CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS=1 and uses --dangerously-skip-permissions (auto mode), which escalates what Claude is allowed to do. Finally, the jq dependency is treated inconsistently (optional in metadata, required by team.sh).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. However, it writes and later removes hooks and settings within the project's .claude directory and creates persistent tmux sessions. It also attempts to auto-accept permission prompts, which increases the blast radius if used in 'auto' mode. The ability to create hooks that run on Claude stop and to enumerate project files is a persistent capability within the project scope—expected for the feature but privilege-worthy to acknowledge.
What to consider before installing
What to check before installing/using: - Review callback targets: examine what callback backend you'll use (openclaw, webhook, ntfy). webhook mode will POST JSON to any URL you supply or CC_WEBHOOK_URL—do not point this to untrusted endpoints. Prefer the platform's internal gateway (openclaw) if you want to avoid sending data to external servers. - Understand file writes and reads: team mode installs .claude/hooks/on-stop.sh and edits .claude/settings.json in your project. The on-stop hook enumerates files (up to a limit) and sends that list to the callback. If your repository contains sensitive files, run this only in a safe/test copy or inspect the hook first. - Avoid auto mode on sensitive projects: the scripts encourage --permission-mode auto / --dangerously-skip-permissions and even auto-accept permission prompts via tmux. This lets Claude run tools without interactive confirmation—do not use 'auto' in sensitive or production repositories. - Verify jq availability: team mode expects jq and will error out if missing even though metadata calls it 'optional'. Install jq or avoid team mode. - Obtain and protect session keys: you must supply a session-key to route callbacks. Treat that key as sensitive and do not hardcode it in public scripts. - Run in isolated environment first: test the skill in a disposable clone/container to observe exactly what it writes and sends before using it on real code. - Inspect the included hook (on-stop.sh) and callback scripts yourself: they are bundled with the skill and will be run on your filesystem—ensure you are comfortable with their logic and destinations. If you can't confirm the callback endpoints and are not prepared to run with the permission-bypass behavior, treat this skill as risky.

Like a lobster shell, security has layers — review code before you run it.

latestvk973px14v1hb31ybbb4my3mar5846np7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
OSmacOS · Linux
Binsbash, claude, tmux
Any binopenclaw

Comments