Claude Code Agent
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: claude-code-skill Version: 0.2.0 The skill is designed for Model Context Protocol (MCP) integration, enabling sub-agent orchestration and state persistence. It allows the AI agent to dynamically add and manage MCP servers, which involves executing arbitrary commands (`command` and `args` in `ServerConfig`) and passing/inheriting environment variables (`env` in `ServerConfig`) to spawned child processes, as seen in `src/mcp/actions.ts` and `src/mcp/client.ts`. While these capabilities are fundamental to the skill's stated purpose (orchestrating external tool servers like filesystem or GitHub), they represent a significant security risk. The `SKILL.md` and `README.md` explicitly instruct the agent on how to use these powerful features, making the skill highly susceptible to abuse through prompt injection if the agent is compromised, potentially leading to arbitrary code execution or sensitive data exposure from the host system. There is no clear evidence of intentional malicious behavior within the skill's code or documentation, but the inherent high-risk capabilities warrant a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A configured MCP server could be asked to read files, change repositories, post to services, or perform other actions depending on the server's tools and credentials.
Caller-supplied MCP requests are passed directly to a connected server. The artifacts do not show an allowlist, confirmation step, or separation between low-risk reads and high-impact tool actions.
export async function executeMcpAction(
clientId: string,
request: McpRequestMessage,
) { ... return await executeRequest(client.client, request); }Only connect trusted MCP servers, restrict which tools can be called, and require user confirmation for file writes, account changes, public posts, or other irreversible actions.
If the MCP configuration is unsafe or modified, the skill can start arbitrary local commands with the user's privileges.
The configured command and arguments are executed as a subprocess to create an MCP transport. The code does not restrict commands to known-safe binaries or server packages.
const transport = new StdioClientTransport({
command: config.command,
args: config.args,
env: { ... }
});Use a fixed allowlist of MCP server commands, store the config in a protected location, and review any new or changed server entry before initialization.
A compromised or untrusted MCP server could access secrets that were not intended for that server.
Every configured MCP server receives the full process environment plus any server-specific env values. That may include unrelated API keys, cloud credentials, or tokens.
env: {
...Object.fromEntries(
Object.entries(process.env)
.filter(([_, v]) => v !== undefined)
.map(([k, v]) => [k, v as string]),
),
...(config.env || {}),
}Forward only an explicit per-server environment allowlist, use least-privilege tokens, and declare any required credentials in the skill metadata.
The installed behavior can depend on whatever package version npm resolves at runtime, which is risky for tools that receive local access and credentials.
The documented MCP setup runs npm packages through npx -y without a pinned version. Those packages are not part of the reviewed artifact set.
args: ["-y", "@modelcontextprotocol/server-filesystem", "/tmp"]
Pin exact MCP server package versions, verify their source, and avoid auto-accepting package execution for high-privilege tool servers.
Synced messages may be reused as future context; untrusted or stale remote content could influence later agent behavior.
Remote session messages are merged into local sessions. This is purpose-aligned for sync, but the artifacts do not mark remote message origin or trust level.
remoteSession.messages.forEach((m) => {
if (!localMessageIds.has(m.id)) {
localSession.messages.push(m);
}
});Sync only with trusted sources, preserve origin metadata where possible, and give users a way to review or clear persisted sessions.