Skills Backup Claw Shell
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed shell-command runner, but it grants broad local command authority with weak safety controls and unsafe command interpolation.
Install only if you intentionally want the agent to run local shell commands. Review commands carefully, verify the publisher, avoid printing secrets in the tmux session, and prefer a more constrained tool for routine tasks.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could run commands that modify files, repositories, software, or system state. Some commands the documentation labels dangerous, such as chmod -R or docker system prune -a, are not actually covered by the blocklist.
The tool accepts an arbitrary command string and sends it to tmux, while the only safety gate is a narrow substring blocklist.
const bad = ["sudo", " rm ", " rm-", "reboot", "shutdown", "mkfs", "dd "]; ... ensureSession(); sendCommand(command);
Use this only with explicit user review of each command. Prefer scoped tools or require confirmation for all mutating commands, not just a small list of substrings.
Commands may execute outside the intended tmux session boundary and may not be captured in the returned tmux output, weakening the skill's stated containment model.
The command is placed into a shell string and only double quotes are escaped; shell expansions such as $() or backticks can execute in the wrapper shell before tmux receives the text.
const escaped = cmd.replace(/"/g, '\\"'); execSync(`tmux send-keys -t claw "${escaped}" C-m`);Avoid shell interpolation for tmux calls; use spawn/execFile with an argument array and robust validation so the command text is sent as data, not parsed by the wrapper shell.
Shell state, running processes, and command output can persist across tasks unless the user manually inspects or stops the tmux session.
The skill creates a detached tmux session that remains available after the individual tool call completes.
execSync('tmux new -s claw -d');Monitor the claw tmux session and add cleanup, timeout, or explicit stop instructions if persistent shell state is not desired.
Secrets or private output previously printed in the tmux session could be returned to the agent on later calls.
The skill returns the last 200 lines of the persistent tmux pane, which may include output from prior commands, not only the current command.
execSync('tmux capture-pane -t claw -p -S -200');Avoid printing secrets in this session, clear the pane when needed, and consider capturing only command-scoped output.
For a high-impact shell runner, unclear provenance makes it harder to verify who authored the code and whether this is the intended package.
The embedded metadata identifies a different owner/slug than the registry entry for skills-backup-claw-shell, and the listing has no source or homepage.
"ownerId": "kn72bp1bgek7jc870ge0yk22bh80apyg", "slug": "claw-shell"
Verify the publisher and package lineage before installing, especially because the skill can execute local commands.