ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

My Shell

v1.0.0

Runs shell commands inside a dedicated tmux session named claw, captures output, and prompts before executing potentially destructive commands.

0· 328·3 current·3 all-time
by@idienet
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, and handler.js all align: the skill runs arbitrary shell commands in a tmux session named 'claw' and returns pane output. No unrelated credentials, binaries, or install steps are requested.
!
Instruction Scope
SKILL.md limits scope (only session 'claw', prompts for destructive commands) but the runtime code does not reliably enforce these constraints. The dangerous-command check is string-based and easily bypassed (e.g., common forms like 'rm -rf /' are not always detected). More critically, the code builds a shell command string and only escapes double quotes, so constructs like $(...) or backticks inside the input will be interpreted by the host shell before being sent to tmux, allowing immediate host-side command execution outside the tmux target.
Install Mechanism
No install spec; this is an instruction/code-only skill and does not download or write additional artifacts during installation.
Credentials
The skill requests no environment variables, credentials, or config paths — this is proportionate to its stated purpose.
Persistence & Privilege
always:false (no forced always-on). The skill can be invoked autonomously (platform default). Combined with the implementation vulnerability, autonomous invocation increases risk because the agent could be induced to run crafted inputs that execute on the host.
What to consider before installing
Don't install this skill into sensitive agents as-is. The handler constructs a shell command string and only escapes double quotes, so user-supplied content containing shell substitutions (e.g., $(...), `...`, $VAR expansions) will be executed by the host shell before tmux receives the input — this is an RCE risk. The 'dangerous' filter is a simple substring check and can be bypassed by common command forms. If you need this functionality: (1) ask the author to stop using execSync with a single command string and instead use a subprocess API that avoids a shell (e.g., child_process.spawn or execFile with argument arrays, or execSync with shell disabled), or at minimum properly escape/validate all special shell metacharacters; (2) strengthen the dangerous-command detection and require explicit user confirmation for destructive commands; (3) run the skill in an isolated, non-root container or sandboxed environment and avoid running on hosts with sensitive data. If you cannot get those fixes, treat the skill as unsafe and do not give it access to agents running on production or privileged hosts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ejty2s1z486gdz77k8vavnn82f5zc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments