Claude Code Runner
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill has a legitimate Claude Code automation purpose, but it auto-approves prompts and builds a shell command from the task text without safe escaping.
Review before installing. Use only in an isolated copy of a project, with a dedicated non-root user, and do not feed it untrusted prompts or unusual project paths until the shell-escaping issue is fixed. Inspect diffs before syncing changes back, and pin any external installation source to a reviewed commit.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted prompt or project path containing quotes or shell metacharacters could execute arbitrary shell commands as the selected user.
The natural-language prompt and temporary path are interpolated into a shell command passed to su -c without shell escaping.
f'cd {temp_workdir} && claude --print "{prompt}" 2>&1'Do not build a shell string from the prompt or path. Pass the prompt through stdin or a temporary file, quote paths safely, validate inputs, and avoid su -c when possible.
Claude Code safety or confirmation prompts may be accepted without the user seeing the exact action being approved.
The runner broadly detects confirmation-like text and automatically sends yes to the PTY.
if b'Do you want to' in output or b'proceed' in output.lower() or b'continue' in output.lower(): ... os.write(master_fd, b'y\n')
Require explicit user approval for file writes, command execution, installs, deletes, or other high-impact actions; at minimum, restrict auto-approval to exact low-risk prompts.
A mistaken or manipulated Claude Code run can silently spread unwanted edits across the user's real project files.
On successful exit, changes generated in the temporary copy are automatically propagated back to the original project.
if exit_code == 0:
print(f"[INFO] Syncing changes back to original directory...", file=sys.stderr)
_sync_changes(temp_workdir, workdir)Sync only after showing a diff and getting user approval; use backups or version control, and allow users to limit which files can be written back.
The runner can operate under the privileges and local Claude Code account context of the selected system user.
The skill explicitly requires elevated local privileges so it can switch users while running Claude Code.
Root or sudo access (for user switching)
Run it only as a dedicated least-privilege user, avoid running as root, and ensure sudo/user-switching access is tightly controlled.
Users may install code that differs from the reviewed artifact if the upstream repository changes.
The installation instructions clone a live external repository without a pinned commit or checksum.
git clone https://github.com/lhl09120/claude-code-runner-en.git
Pin installation to a reviewed commit or release and verify the downloaded files before use.