Skillv1.0.0

ClawScan security

Taizi Claw Shell · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

ReviewMar 16, 2026, 4:03 AM

Verdict: Review
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it claims (run commands in a tmux session) but metadata omits the tmux requirement and the implementation uses execSync with insufficient escaping, which can cause the host shell to interpret user input before it's sent to tmux — a dangerous mismatch.
Guidance: This skill runs arbitrary shell commands and returns their output. Before installing, consider: 1) The skill requires tmux but does not declare it — ensure tmux is available and you accept that requirement. 2) The implementation uses node's execSync with the user command interpolated into a shell command; this can cause the host shell to evaluate parts of the input before tmux receives it (e.g., $(cmd), backticks, environment expansions, or other metacharacters), enabling unexpected or destructive host-side execution. 3) The 'dangerous command' check is basic and can be bypassed; the code only returns an error code that your agent must interpret rather than enforcing confirmation. Recommendations: only install if you trust the agent and users of the skill; ask the developer to (a) declare tmux in metadata, (b) avoid execSync with a shell (use spawn with argv or pass arguments to tmux directly to avoid shell expansion), and (c) implement an explicit confirmation step or server-side gating for destructive commands. If you cannot get these fixes, treat the skill as unsafe for untrusted input or production use.

Purpose & Capability: concernThe SKILL.md and handler implement a tmux-backed shell, which is coherent, but the registry metadata lists no required binaries even though tmux is essential. The skill therefore underdeclares its footprint (tmux must be present).
Instruction Scope: concernSKILL.md promises to run commands only inside session 'claw' and to prompt before destructive commands. The handler largely follows that, but it uses execSync to invoke shell commands that incorporate the user-supplied command string. Because the code only escapes double quotes, shell metacharacters (e.g., $(...), `...`, $VAR, ;, &, |) can be interpreted by the invoking shell before tmux is called, meaning input can be executed on the host outside the tmux pane. The 'ask first' behavior is implemented only by returning an error token, not by enforcing an interactive confirmation.
Install Mechanism: okInstruction-only with a small handler.js and no install spec — nothing is downloaded or written during installation. This is low install risk, but the skill still requires tmux at runtime (not declared).
Credentials: okNo environment variables, credentials, or config paths are requested; that is proportionate to the described purpose.
Persistence & Privilege: okalways is false and the skill does not request permanent presence or modify other skills or system config. Normal autonomous invocation is allowed by platform defaults.