ClawHub

OpenClaw ClaudeCode Controller

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to run Claude Code through tmux, but it asks for broad unattended coding authority and includes privileged setup steps that users should review carefully.

Install only if you intentionally want an agent to drive Claude Code in a detached tmux session. Prefer running Claude Code without `--dangerously-skip-permissions`, avoid `curl | sh` unless you have verified the installer, use an existing low-privilege account, protect API keys from tmux captures and logs, and clean up sessions when the task is done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill goes beyond controlling an existing Claude Code/tmux session and instructs the agent to modify the host by installing packages, globally installing software, and executing a remote install script. In an agent context, these actions expand the blast radius from task orchestration to system administration and can lead to arbitrary code execution or persistent host changes without explicit user approval.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Documenting `useradd` and `chpasswd` causes the skill to create local accounts and optionally set passwords, which are privileged persistence and access-management actions unrelated to simple tmux control. If followed by an agent, this could create unauthorized accounts, weaken host security, or leave backdoor-like access on the machine.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest frames the skill as tmux-based control and monitoring, but the implementation launches Claude Code with `--dangerously-skip-permissions`, disabling approval prompts entirely. This is a material capability escalation because it converts supervised development assistance into unattended execution of potentially sensitive actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly enables broad unattended permission bypass via `--dangerously-skip-permissions`, stronger than mere monitoring or auto-confirming known prompts. In practice this can authorize file changes, command execution, and other sensitive operations without user review, creating a pathway for silent misuse or destructive actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill includes process-killing and tmux client-detachment actions that can affect other local users or unrelated sessions, exceeding the stated scope of controlling a development session. In shared or multi-session environments, these commands can disrupt legitimate work or hide concurrent oversight by disconnecting attached clients.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs use of `--dangerously-skip-permissions` without a strong warning that safety prompts are being bypassed and actions may run unattended. Omitting that warning materially increases the chance that users or downstream agents invoke a high-risk mode without understanding its consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill combines package installs, global npm installation, remote script execution, and privileged account-management steps without clearly warning that these modify the system and may execute untrusted code. In an automation setting, this normalizes dangerous host changes as routine setup and increases the likelihood of accidental compromise.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill references configuring `ANTHROPIC_API_KEY` but does not warn about secure handling of credentials, redaction, shell history exposure, or leakage into logs and memory files. In the context of tmux capture and monitoring, poor guidance around secrets handling increases the risk of accidental credential disclosure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal