ClawHub

Claude Code Supervisor

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Claude Code supervisor, but it gives scripts broad ability to read terminal output, run configured commands, and type into live sessions without enough safeguards.

Install only in trusted projects and review the generated .claude settings and .claude-code-supervisor.yml before enabling hooks. Avoid remote LLM or webhook backends for sensitive repositories unless you accept the data exposure, move or remove the fixed /tmp helper, and do not run the watchdog or auto-approve permission prompts until nudges are tightly allowlisted and logged.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly instructs users to run shell commands and install executable hook scripts, but it does not declare permissions or otherwise warn that it performs shell-capable actions. That mismatch can cause users or harnesses to trust and execute a skill with greater system access than its metadata suggests, increasing the chance of unsafe execution in environments that rely on permission declarations.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The installer generates an executable helper script at a fixed path in /tmp, a world-writable shared directory. That creates a trust and integrity risk because other local users or processes could pre-create, replace, or tamper with the script, and agents may later execute the wrong content outside the project’s control boundary.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script is not purely observational: when it detects an IDLE Claude session, it automatically sends text and Enter into the tmux session. That creates an integrity risk because a monitoring component can alter agent behavior, trigger unintended actions, or resume work without explicit operator approval, especially if the configured nudge message or session state is incorrect.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly encourages users to send alert payloads to arbitrary external endpoints such as OpenClaw, ntfy, Slack, or custom webhooks, but it does not warn that those JSON payloads may contain session state, prompts, errors, filenames, or other sensitive development context. In a monitoring skill for coding agents, that omission is security-relevant because users may unknowingly forward proprietary codebase metadata or operational details to third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README describes 'fast LLM triage' of Claude Code stop/error/notification events but does not clearly disclose that event content may be transmitted to an external model provider. Because this skill is specifically designed to inspect live agent session events, the analyzed content could include sensitive prompts, terminal output, code snippets, secrets, or internal project details, making silent model forwarding a meaningful data exposure risk.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The quick-start section tells the user to run an installer that creates project files such as `.claude/hooks/supervisor/`, `.claude/settings.json`, and `.claude-code-supervisor.yml`, but it does not prominently warn that repository configuration will be modified. This is a real transparency/safety issue because hidden file writes can surprise users, alter project behavior, and make review or rollback harder.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance explicitly suggests auto-approving interactive permission prompts by sending "y" when the action appears to be within broad safety bounds such as file writes in the project directory. In a supervisory automation skill, this is risky because permission prompts exist to gate potentially destructive or unexpected actions, and a coarse heuristic can approve writes, command execution, or other side effects without meaningful user review.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script asynchronously invokes triage.sh with the current working directory, session ID, tool name, and tool error text, which may contain sensitive repository paths, identifiers, prompts, secrets, or internal error content. Because this transmission happens automatically in a background hook with no user disclosure or consent mechanism in the script, it creates a real data-exposure risk, especially if triage.sh forwards the data to an LLM, webhook, or notification backend as described by the skill.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The hook captures the last 30 lines of a tmux pane and forwards that content to triage.sh for further processing, which may expose sensitive terminal contents such as prompts, credentials, file contents, or user data beyond what is strictly needed for stop-state detection. In this skill's context, the behavior is intentional for supervision, but the lack of minimization, sanitization, or explicit disclosure increases privacy and data-exposure risk, especially if triage.sh sends the data to an external LLM or notification backend.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function forwards arbitrary prompt text to a configurable external triage command, which may send session content to a third-party CLI or remote model endpoint. In this supervisor skill, captured tmux output can include source code, secrets, filesystem paths, and operational details, so the lack of explicit consent, allowlisting, or data minimization creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Notification text is packaged and sent through a configurable external command without validation or disclosure. While the payload is usually less sensitive than full triage prompts, completion summaries and status messages can still leak project names, task details, or other internal metadata to external systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends project path, inferred goal, and recent terminal output to `ccs_triage`, which is an external LLM-backed triage function, without any consent, redaction, or visibility controls in this script. Because terminal output can contain source code, secrets, internal paths, tokens, or sensitive error content, this creates a real data-exposure risk if the triage backend is remote or logs prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The watchdog injects keystrokes into a live supervised session without any interactive warning, approval, or visible guardrail at the point of action. In this context, the skill supervises long-running coding agents, so silent automatic input can cause unexpected code changes, command execution, or confusing agent behavior that the user may not realize originated from the watchdog.

Session Persistence

Medium
Category
Rogue Agent
Content
### 3. Register a supervised session

Create `~/.openclaw/workspace/supervisor-state.json` (or wherever your harness keeps state):

```json
{
Confidence
84% confidence
Finding
Create `~/.openclaw

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal