ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claude Code Agent

v0.3.0

Programmatically control Claude Code via MCP protocol to execute commands, manage sessions, search and edit code, and coordinate agent teams for development...

4· 2.7k·21 current·22 all-time
by@enderfga
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description align with the included code: a Node CLI that talks to a backend API and manages MCP servers/clients. Requiring node is appropriate. However the skill expects a backend (SASHA_DOCTOR_URL / CLAUDE_CODE_API_URL) and spawns arbitrary configured commands (e.g., npx servers) — these are coherent for a tool that launches MCP servers, but they broaden the runtime footprint beyond a simple client.
!
Instruction Scope
SKILL.md and the CLI let agents (via backend) read/write arbitrary files, run bash commands, and modify session behavior (including flags like --append-system-prompt and permission modes such as bypassPermissions). The SKILL.md also includes frontmatter and flags that can be used to alter system prompts. These instructions give broad discretion and can be used to change agent/system behavior beyond normal coded operations.
Install Mechanism
The registry lists no install spec, but the package contains full Node source and a package.json — installing would typically require npm install/build. No remote binary downloads are performed by the skill itself. This is not high-risk by itself, but users must build/run provided code locally (review source before running).
!
Credentials
No required env vars are declared, but the code uses SASHA_DOCTOR_URL/CLAUDE_CODE_API_URL (defaulting to localhost) and the MCP client spawns child processes while copying the entire process.env into the child's env and merging config.env. Passing the full environment to spawned servers is potentially excessive because it can leak unrelated secrets to child processes or external plugins. Example config files also show storing GITHUB_TOKEN and SLACK_BOT_TOKEN, so misconfigured servers could receive sensitive tokens.
Persistence & Privilege
The skill does not force 'always: true' and does not request special platform-level persistence. It writes/updates a local mcp_config.json and can start long-running MCP servers/processes, which is expected for this purpose. Autonomous invocation is allowed by default (platform behavior) — combined with the ability to append system prompts or bypass permissions this increases risk, but persistence flags themselves are not excessive.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md and CLI offer flags to append or modify system prompts and include permission modes such as 'bypassPermissions'. This is functionally expected for a powerful code-agent, but it is a high-risk capability because it can be used to override agent constraints and perform prompt injection if misused.
What to consider before installing
This skill appears to implement a legitimate Claude Code/MCP CLI, but it expands the attack surface in several ways. Before installing or running it: 1) Review the source (especially src/index.ts and src/mcp/*) yourself — the package will spawn processes (npx servers) and write mcp_config.json to disk. 2) Do not point SASHA_DOCTOR_URL or --base-url to untrusted remote endpoints; the CLI will send commands and content to that backend. 3) Audit the mcp_config you create: restrict allowed commands, avoid embedding unrelated secrets (GITHUB_TOKEN, SLACK_BOT_TOKEN) unless necessary, and use minimal env in server configs. 4) Prefer 'plan' permission-mode and avoid 'bypassPermissions' or automatically appending system prompts; these flags can subvert safety controls. 5) Run the tool in an isolated environment (container or VM) the first time, with limited privileges and no sensitive environment variables, until you are comfortable with its behavior. Additional information that would raise confidence: a trusted upstream repo maintainer, a release signed GitHub release, and explicit documentation of why the full process.env is forwarded (or code that only forwards a whitelist of vars).

Like a lobster shell, security has layers — review code before you run it.

latestvk974g31vht680ver5ze91k5mk9814vdr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
Binsnode

Comments