Claude Code Collaboration

WarnAudited by ClawScan on May 10, 2026.

Overview

This skill fits its stated Claude Code collaboration purpose, but the included helper daemon hardcodes an API token and runs Claude Code with permission checks disabled.

Do not run this skill as-is unless you are comfortable editing and supervising the helper. Remove the hardcoded token, use your own scoped credentials, remove the Claude Code permission-bypass flag, set a deliberate project workspace, and add clear stop/cleanup controls for the background agent and its logs.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI02: Tool Misuse and Exploitation

What this means

A task placed in the queue could cause Claude Code to read, edit, or execute actions in the configured workspace without prompting the user first.

Why it was flagged

The helper sends queue-provided prompts to Claude Code while explicitly disabling Claude Code permission checks, allowing high-impact coding actions without normal approval gates.

Skill content

prompt = task.get("prompt", "") ... ["claude", "--print", "--no-session-persistence", "--dangerously-skip-permissions", prompt], cwd=WORK_DIR

Recommendation

Remove --dangerously-skip-permissions, require explicit user approval for file or command actions, and constrain Claude Code to a clearly chosen project directory.

High

#ASI03: Identity and Privilege Abuse

What this means

Users may unknowingly run requests through an embedded/shared credential, and the exposed token cannot be scoped, consented to, or rotated by the installer.

Why it was flagged

The source contains a hardcoded provider API token and overwrites the environment value, despite the skill documentation describing user-provided environment variables.

Skill content

env["ANTHROPIC_AUTH_TOKEN"] = "sk-sp-..."

Recommendation

Remove the embedded token, require the user to provide their own scoped credential, and document exactly which provider account and permissions are used.

Medium

#ASI10: Rogue Agents

What this means

The agent can continue acting after the initial setup and may process unexpected local queue files without a fresh user decision.

Why it was flagged

The helper is an always-running polling daemon that processes every queued JSON task until the process is manually stopped.

Skill content

while True:
        for task_file in Path(IN_DIR).glob("*.json"):
            process_task(task_file)
        time.sleep(2)

Recommendation

Provide a clear start/stop mechanism, PID/status management, a run-once mode, and user confirmation before processing high-impact tasks.

Low

#ASI06: Memory and Context Poisoning

What this means

Sensitive code, secrets, or internal discussion included in prompts or model output may persist on disk in the workspace.

Why it was flagged

The helper writes full prompts, model responses, and errors into result JSON files, and also maintains a conversation log.

Skill content

"prompt": prompt,
"stdout": stdout,
"stderr": stderr

Recommendation

Avoid sending secrets, protect the queue/log directories, and add retention or cleanup controls for generated logs and result files.