ClawHub

fast-claude-code

Security checks across malware telemetry and agentic risk

Overview

This is a real Claude Code background runner, but it grants broad unattended authority, edits project Claude settings, and can transmit task content and output through callbacks.

Review before installing. Use --permission-mode plan unless the project is trusted and version-controlled, inspect .claude/settings.json and .claude/hooks before and after team runs, and avoid webhook or ntfy callbacks for sensitive prompts, source code, logs, or secrets unless you trust the configured destination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
80% confidence
Finding
The skill advertises and instructs shell-based execution, background processes, and tmux orchestration, but the manifest does not declare corresponding permissions. That weakens policy enforcement and user awareness, making it easier for a caller to trigger command execution and project-side effects without an explicit trust boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
This is a real security issue because the documented behavior materially understates what the skill can do: it can modify files under .claude, delete or rewrite hook configuration, use additional undocumented modes, poll despite claiming not to, and send data to external callback backends. A user or orchestrator relying on the description could authorize the skill for a narrower purpose while it performs broader persistence, cleanup, and data-exfiltration-adjacent actions.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script supports `--permission-mode auto` by launching `claude --dangerously-skip-permissions` and then automatically accepting the warning inside the tmux session. That meaningfully weakens user safety controls and enables the agent to operate with fewer runtime checks than a user may expect from a callback/monitoring helper, increasing the chance of destructive or privacy-impacting actions in the project environment.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The single-task runtime modifies files inside the target project by deleting `.claude/hooks/on-stop.sh` and rewriting `.claude/settings.json`, which exceeds the stated purpose of merely running a Claude Code task with callback support. Because these changes happen automatically and against a user-supplied project path, the skill can silently alter project behavior, remove existing safety/workflow hooks, and create integrity issues in repositories the user did not expect to be mutated.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script supports `--dangerously-skip-permissions`, allowing Claude Code to use tools without confirmation. In this skill's context, tasks and project paths are user-controlled and execution happens in the background, so bypassing permission checks materially increases the chance of unintended file changes, command execution, or other destructive actions without human review.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The generated on-stop hook recursively enumerates project files and reports file names and sizes through the callback, which exceeds the stated purpose of notifying task completion. This can disclose sensitive repository structure, filenames, and metadata to the callback consumer even when the user only expected a completion signal.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script explicitly supports an auto mode that uses Claude Code's dangerous permission bypass, which grants broader execution authority than a simple callback runtime needs. In this context, it materially increases the blast radius of any prompt injection, template abuse, or model mistake during team execution.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends task metadata and potentially the last 1000 characters of task output to an ntfy server without any consent prompt, redaction, or restriction to trusted destinations. In this skill context, background Claude Code tasks may process sensitive prompts, code, secrets, or proprietary data, so automatic network transmission increases the risk of unintended data exfiltration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends the full task message, execution output, and session key to an external `openclaw gateway call agent` endpoint without any visible consent, minimization, or validation. Because this skill is explicitly a background callback runtime, it may handle sensitive prompts, results, and identifiers; exfiltrating them to an external gateway materially increases confidentiality and account/session abuse risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends task, message, and output fields to an external webhook endpoint, which can expose sensitive job content, prompts, code, secrets, or results outside the local environment. In this skill context, background task execution plus automatic callback delivery makes silent exfiltration more dangerous because users may not realize completion data is being transmitted off-host.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
On timeout, the script captures the entire tmux pane output and forwards it to the callback script, which may transmit sensitive prompts, code, secrets, or terminal output without an explicit just-in-time disclosure or minimization step. In an interactive coding context, pane contents commonly include highly sensitive project and user data, so forwarding full transcripts increases privacy and data-exfiltration risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When a user requests session closure, the script again captures and forwards session output to the callback script. Closing a session is not equivalent to consenting to transcript export, so this can leak sensitive interactive content to downstream handlers or remote systems unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script deletes a hook file and conditionally rewrites `settings.json` in the target project without explicit consent beyond runtime logs. That is dangerous because it changes repository configuration and can disable existing automation or security controls, while the user may believe they are only launching a background task with callback notification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script creates .claude/hooks and later updates .claude/settings.json inside the target project without a clear confirmation step. Silent modification of repository files and tooling configuration can surprise users, affect other workflows, and persist behavior beyond the current run.

Missing User Warnings

High
Confidence
99% confidence
Finding
In auto mode the script not only launches Claude with dangerous permission bypass, but also programmatically accepts the safety confirmation prompts. This removes the human checkpoint intended to prevent unsafe execution and can enable destructive or overbroad actions without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The template explicitly instructs the spawned agent to perform file read/write operations 'as needed' without any guardrails, user confirmation step, or scope restriction. In a dialog-oriented skill, this broad permission can lead to unintended or overbroad file modification if a user request is ambiguous or adversarially phrased, especially since tasks run in a background tmux session and complete asynchronously.

Ssd 3

Medium
Confidence
96% confidence
Finding
The script appends a natural-language instruction requiring the model to emit a fixed completion token, then captures pane output and forwards everything before that token to a callback. This creates a prompt-driven exfiltration/control channel: untrusted task content can deliberately shape what gets returned through callbacks, and any occurrence of the token in task-controlled output can prematurely terminate capture or spoof completion.

VirusTotal

48/48 vendors flagged this skill as clean.

View on VirusTotal