claw-shell
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a powerful local shell tool with limited safeguards, persistent terminal state, and a command-wrapping issue that can execute input outside the intended tmux session.
Install only if you intentionally want the agent to run local shell commands. Prefer using it in a disposable or sandboxed environment, review commands carefully, and be aware that the tmux session and its output can persist between uses.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could run commands that change or damage the local environment, and many risky commands would not be caught by the listed checks.
The tool accepts arbitrary command input and sends it to a local shell/tmux session, while the only safety guard is a narrow substring denylist.
function isDangerous(cmd) { const bad = ["sudo", " rm ", " rm-", "reboot", "shutdown", "mkfs", "dd "]; ... } ... execSync(`tmux send-keys -t claw "${escaped}" C-m`);Use only in a trusted or isolated workspace. Add stronger approval controls for mutating commands, consider a whitelist or command policy, and require explicit user confirmation before high-impact operations.
Some input may execute outside the promised dedicated tmux session, weakening the stated containment and safety model.
The command string is interpolated into a shell command after escaping only double quotes. Shell substitutions such as $() or backticks can execute in the wrapper shell before the text reaches tmux.
const escaped = cmd.replace(/"/g, '\\"');
execSync(`tmux send-keys -t claw "${escaped}" C-m`);Avoid shell interpolation. Use spawn/execFile with argument arrays or another API that passes the command text to tmux without shell expansion.
Sensitive or stale output from earlier commands can be returned to the agent during later invocations and may influence future actions.
The handler returns the last 200 lines from a persistent pane rather than only output from the current command.
const buf = execSync('tmux capture-pane -t claw -p -S -200');Capture output per command, clear or delimit the pane before execution, and warn users that terminal output may persist across calls.
Users may install the skill without realizing tmux is required, leading to unexpected failures or local setup assumptions.
The metadata declares no binary dependency even though the handler invokes tmux.
Required binaries (all must exist): none; Required binaries (at least one): none
Declare tmux as a required binary and document expected operating-system support.
Shell state, working directory, environment changes, and long-running processes may continue between tool calls.
The skill creates a detached tmux session that can persist after a single tool invocation. This is disclosed and purpose-aligned, but it is still persistent execution state.
execSync('tmux new -s claw -d');Provide a clear cleanup command and consider automatically delimiting, resetting, or terminating the session when the user is done.