claw-shell
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: claw-shell Version: 1.0.0 This skill is classified as suspicious due to its core functionality of executing arbitrary shell commands via `tmux send-keys` in `handler.js`. While the `SKILL.md` and `handler.js` include basic client-side checks for 'dangerous' commands (e.g., `sudo`, `rm`, `reboot`) and instruct the AI agent to seek user confirmation, these checks are easily bypassable (e.g., by using `sh -c 'rm -rf /'`). The ability to run any shell command grants broad system access, enabling potential data exfiltration, persistence, or other malicious activities, even if not explicitly coded into the skill itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could run commands that change or damage the local environment, and many risky commands would not be caught by the listed checks.
The tool accepts arbitrary command input and sends it to a local shell/tmux session, while the only safety guard is a narrow substring denylist.
function isDangerous(cmd) { const bad = ["sudo", " rm ", " rm-", "reboot", "shutdown", "mkfs", "dd "]; ... } ... execSync(`tmux send-keys -t claw "${escaped}" C-m`);Use only in a trusted or isolated workspace. Add stronger approval controls for mutating commands, consider a whitelist or command policy, and require explicit user confirmation before high-impact operations.
Some input may execute outside the promised dedicated tmux session, weakening the stated containment and safety model.
The command string is interpolated into a shell command after escaping only double quotes. Shell substitutions such as $() or backticks can execute in the wrapper shell before the text reaches tmux.
const escaped = cmd.replace(/"/g, '\\"');
execSync(`tmux send-keys -t claw "${escaped}" C-m`);Avoid shell interpolation. Use spawn/execFile with argument arrays or another API that passes the command text to tmux without shell expansion.
Sensitive or stale output from earlier commands can be returned to the agent during later invocations and may influence future actions.
The handler returns the last 200 lines from a persistent pane rather than only output from the current command.
const buf = execSync('tmux capture-pane -t claw -p -S -200');Capture output per command, clear or delimit the pane before execution, and warn users that terminal output may persist across calls.
Users may install the skill without realizing tmux is required, leading to unexpected failures or local setup assumptions.
The metadata declares no binary dependency even though the handler invokes tmux.
Required binaries (all must exist): none; Required binaries (at least one): none
Declare tmux as a required binary and document expected operating-system support.
Shell state, working directory, environment changes, and long-running processes may continue between tool calls.
The skill creates a detached tmux session that can persist after a single tool invocation. This is disclosed and purpose-aligned, but it is still persistent execution state.
execSync('tmux new -s claw -d');Provide a clear cleanup command and consider automatically delimiting, resetting, or terminating the session when the user is done.