claw-shell
Security checks across malware telemetry and agentic risk
Overview
This skill is a real local shell runner, but its command safety checks, tmux containment, and persistent output handling are too broad for unattended use.
Install this only if you intentionally want the agent to have local shell access. Prefer running it in a disposable sandbox, require explicit approval for every command, avoid displaying secrets in the tmux session, and manually inspect or kill the `claw` tmux session when finished.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could run local commands that modify files, start processes, access the network, or change the system even when the command is not caught by the denylist.
The tool accepts arbitrary shell commands but only blocks a small list of substrings, leaving many destructive or high-impact commands outside the safety check.
const bad = ["sudo", " rm ", " rm-", "reboot", "shutdown", "mkfs", "dd "];
Use only in a sandbox or with explicit per-command user approval. Replace the denylist with stronger allowlisting, scoped working directories, and a reliable approval path for any mutating command.
A command that appears to be sent into the dedicated tmux session may instead execute parts of itself in the host shell process, weakening the claimed containment.
The user-provided command is interpolated into a shell command with only double quotes escaped, so shell expansions such as command substitution can execute in the wrapper shell before the text reaches tmux.
const escaped = cmd.replace(/"/g, '\\"');
execSync(`tmux send-keys -t claw "${escaped}" C-m`);Avoid shell-string interpolation for user input. Use execFile/spawn with argument arrays or a tmux mechanism that sends literal text without invoking an intermediate shell.
Previous command output, secrets displayed in the terminal, or untrusted terminal text may be returned to the agent on later calls and influence future actions.
The tool returns the last 200 lines of the persistent tmux pane, not just the output produced by the current command.
const buf = execSync('tmux capture-pane -t claw -p -S -200');
return buf.toString("utf8");Capture only output from the current command, clear or isolate sessions per task, and warn users not to display secrets in the managed tmux session.
Long-running commands may continue after the agent has returned output, and old session state may remain until the user kills the tmux session.
The skill creates a detached tmux session that can persist after the tool call; this is disclosed and aligned with the purpose, but it is persistent background state.
execSync('tmux new -s claw -d');Monitor the `claw` tmux session, stop unwanted processes, and consider adding cleanup, timeout, or per-task session controls.
The skill may fail or behave unexpectedly on systems without tmux, and users may not realize this dependency before installing.
The metadata does not declare tmux as a required binary even though the code calls tmux commands.
Required binaries (all must exist): none
Declare tmux as a required binary and document supported operating systems and setup expectations.