Skillv1.0.0

ClawScan security

BMAD Orchestrator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 26, 2026, 3:42 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The orchestrator's instructions generally match its stated goal (coordinating BMAD via a remote Claude Code instance), but they ask the agent to SSH into and control a dev VM, create persistent cron jobs, and deliberately bypass Claude Code permissions — all without declaring or justifying the required credentials and privileges.
Guidance: This skill coordinates a local chat workflow with a remote dev VM running Claude Code via SSH/tmux, and its instructions explicitly tell the remote VM to run 'npx @anthropic-ai/claude-code --dangerously-skip-permissions' and auto-accept the permissions prompt. Before installing or using: (1) confirm you trust the remote VM and the maintainer of the BMAD framework; (2) do not provide SSH keys or credentials unless you intend to grant full control of that VM; (3) avoid running the recipe that uses --dangerously-skip-permissions — prefer to install and authorize Claude Code manually and verify permissions yourself; (4) be cautious about allowing the skill to create cron jobs or persistent tmux sockets that can exfiltrate output; (5) if you still want to use it, run the commands manually in a controlled environment (or a throwaway VM) first and audit what files the orchestration reads/writes. The metadata should have declared the need for SSH credentials and persistent remote access — their absence is a red flag.

Review Dimensions

Purpose & Capability: noteThe skill's name and description align with the instructions: it coordinates interactive phases locally and delegates implementation to a remote Claude Code instance via tmux/SSH. Expectation of tmux, Claude Code, and a dev VM is reasonable. However, the skill does not declare that it requires SSH credentials, access to the remote VM, or the ability to create cron jobs — capabilities that are necessary to fulfil the described purpose.
Instruction Scope: concernSKILL.md instructs the agent to run multiple SSH/scp/tmux commands, create socket dirs and sessions, read/write remote files, set up a cron job to monitor progress, and capture remote output for reporting. It also explicitly instructs booting Claude Code with the flag --dangerously-skip-permissions and auto-selecting the permission prompt. These actions go beyond simple orchestration: they grant a skill the ability to control a remote VM, persist background monitoring, and bypass an agent's permission UX. The instructions also reference environment-like variables (VM_HOST, VM_USER, PROJECT_PATH) but those are not declared as required inputs.
Install Mechanism: concernThere is no install spec (instruction-only), which is low-risk in itself, but the tmux setup explicitly runs 'npx @anthropic-ai/claude-code --dangerously-skip-permissions' on the remote VM. That instructs downloading and running code via npm on the remote host and using an explicit flag to skip permissions — a higher-risk operation that the skill neither declares nor mitigates.
Credentials: concernThe skill requires implicit access to an SSH-able dev VM (host, user, and keys/passwords) and to the remote filesystem (to read/write _bmad-output and /tmp prompt files), yet requires.env and primary credential fields are empty. Requiring remote control and the ability to create cron jobs is a significant privilege that is not declared or justified in the metadata.
Persistence & Privilege: concernThe instructions create persistent artifacts on the remote VM: tmux sessions/sockets and a cron job that polls and reports status every 15 minutes. While persistence can be appropriate for long-running orchestration, combined with the permission-bypass flag and undeclared credential requirements this increases the blast radius and should be explicitly requested and reviewed.