toolguard-daemon-control
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill openly manages macOS background services, but its installer can run unintended shell code from a workdir value and can persist arbitrary programs across sessions.
Install only if you intentionally want an agent to create macOS launchd services. Review the exact command, arguments, environment variables, and workdir before use; avoid untrusted workdir values until the eval issue is fixed, and remember that installed services can keep running until explicitly uninstalled.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed workdir value could run unintended commands as the current user, outside the service command the user meant to install.
The --workdir value is supplied by the caller and then re-parsed through eval, so shell syntax such as command substitution could execute immediately during service installation.
# Expand workdir WORKDIR=$(eval echo "$WORKDIR")
Remove eval. Use safe tilde expansion or path normalization, quote all values, and reject workdir values containing shell metacharacters.
Special characters in a command, argument, environment value, or service name could produce a broken or manipulated launchd plist and cause a service to run differently than intended.
Command arguments and environment keys/values are inserted directly into XML without escaping or validation, and service names are also used directly in labels and paths.
PROGRAM_ARGS+="
<string>${arg}</string>"
...
ENV_SECTION+="
<key>${KEY}</key>
<string>${VALUE}</string>"Validate service names and environment keys with a strict allowlist, XML-escape all strings, or generate plists using a safe plist library/tool instead of string concatenation.
If the agent installs the wrong command, it can continue running in the background and restart after failures or future loads until the user removes it.
The skill explicitly creates durable user launch agents for arbitrary executables, with automatic restart behavior.
Manage any executable as a persistent macOS launchd user agent. ... Services are installed as `~/Library/LaunchAgents/ai.toolguard.<name>.plist` ... They auto-restart on failure
Require explicit user confirmation before creating or restarting a service, show the exact command and plist path, consider making KeepAlive/RunAtLoad opt-in, and provide clear stop/uninstall guidance.
The skill may be invoked on unsupported systems or without required platform tools, causing confusing failures rather than a clean refusal.
The skill is documented as macOS launchd control and the scripts call launchctl, but the metadata does not declare macOS or launchctl requirements.
OS restriction: none ... Required binaries (all must exist): none
Declare a macOS OS restriction and required launchctl availability in metadata.