Back to skill

Security audit

claw-shell

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides local shell access, but the controls are too weak for the amount of system authority it grants an agent.

Install only if you intentionally want an agent to have broad local shell access. Use it in a disposable or sandboxed environment, review commands before they run, avoid exposing secrets in the claw tmux session, and kill or clear that session when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This skill executes arbitrary shell commands provided in input with no approval gate beyond a weak substring blocklist. The blocklist is easily bypassed and does not meaningfully constrain harmful commands, so an agent or upstream caller can run destructive, exfiltrating, or persistence-establishing commands on the host.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill reads the last 200 lines from a persistent tmux session and returns them to the caller, which can expose output from prior unrelated commands. Because the session name is fixed and reused, sensitive data such as tokens, file contents, command history, or prior user context may be leaked across invocations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
handler.js:5