Persistent Code Terminal

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate persistent coding-terminal skill, but it can automatically run Codex and shell workflows that modify, commit, or push code, so users should review it carefully before installing.

Install only if you want OpenClaw to run persistent local terminal and Codex workflows in your repositories. Keep autoCodeRouting off unless you deliberately want automatic routing, use feature branches, review diffs and branch/remotes before any commit or push, avoid printing secrets in the session, and kill tmux sessions when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The skill advertises itself primarily as a persistent tmux terminal, but the documented behavior extends into autonomous intent detection, multi-project routing, retries, and execution orchestration. This mismatch matters because users or higher-level routing systems may grant or invoke the skill under narrower assumptions than its actual capabilities, increasing the chance of unintended command execution across repositories.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The natural-language routing trigger is broad and relies on intent detection over ordinary user messages such as requests to fix, test, build, commit, or push. In a chat-driven environment, ambiguous routing can cause the skill to execute code-manipulating workflows when the user intended discussion, analysis, or a narrower action, leading to unintended repository changes or network actions.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: Using any message starting with the prefix `codex ` as an execution shortcut is overly permissive because it converts natural language directly into a downstream command-driving workflow. A short prefix increases the risk of accidental triggering, prompt-injection-style abuse through relayed text, or misuse in contexts where the user was referencing Codex rather than authorizing execution.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script unconditionally appends routing decisions, including parsed project names and trigger reasons, to .pct-routing.log in the current working directory without clear consent or minimization. User messages may contain sensitive internal project names or operational intent, and writing them into repo-local files can unintentionally expose that data to other users, backups, commits, or tooling.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This code automatically invokes another automation script with the user-supplied instruction once heuristic matching succeeds, without any confirmation gate in this file. In a skill designed to drive coding workflows, that means natural-language input can directly trigger downstream automated actions in a persistent terminal session, increasing the chance of unintended code changes, command execution, or repository modifications if the parser misclassifies input or a prompt is adversarially crafted.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script prints the full captured tmux pane contents directly to stdout in human-readable mode, which can disclose secrets, credentials, tokens, proprietary code, or other sensitive terminal output to any caller of the summary command. In this skill's context, the terminal is explicitly persistent per-project and intended for coding workflows, making it more likely to contain highly sensitive development data and increasing the practical exposure risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: JSON mode programmatically returns the entire captured terminal output and extracted error lines, enabling easy downstream collection, logging, or exfiltration of sensitive session data by other tools or agents. Because this skill is designed for persistent coding terminals and automation-friendly usage, the structured API-style exposure is more dangerous than a purely interactive display and can leak secrets at scale without clear user awareness.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The example explicitly instructs the agent to make code changes, commit them, and push them to the current branch, but it does not present a clear warning or approval checkpoint before modifying repository history and transmitting changes to a remote. In a mobile/SSH workflow with automation and persistent sessions, this increases the chance of unintended code publication, accidental commits of sensitive material, or pushing unreviewed changes.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The example instructs users to run repository-mutating commands (`git add -A`, `git commit`, `git push`) as part of a canned workflow without any warning, review checkpoint, or confirmation step. In a persistent terminal skill, this is more dangerous because commands may be sent into a long-lived session tied to a real project, increasing the chance of accidentally committing sensitive, unrelated, or unreviewed changes and pushing them to a remote.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: ## Intelligent auto routing You can enable auto-routing so coding intents are automatically executed through persistent sessions. Config toggle (default false): - `openclaw.config.dev.autoCodeRouting`
Confidence: 90% confidence
Finding: automatically execute

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal