Claude Code Runner
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: claude-code-runner Version: 0.1.0 The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/run_claude.py`. The user-controlled `prompt` parameter is directly embedded into a shell command executed via `su -c`, allowing arbitrary command execution as the specified user. This risk is significantly amplified by the script's explicit requirement for root/sudo privileges to perform user switching and file ownership changes, potentially leading to a Remote Code Execution (RCE) as root. While the script's stated purpose is legitimate, this severe vulnerability allows for malicious exploitation without clear evidence of intentional self-exploitation within the provided code.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted prompt or project path containing quotes or shell metacharacters could execute arbitrary shell commands as the selected user.
The natural-language prompt and temporary path are interpolated into a shell command passed to su -c without shell escaping.
f'cd {temp_workdir} && claude --print "{prompt}" 2>&1'Do not build a shell string from the prompt or path. Pass the prompt through stdin or a temporary file, quote paths safely, validate inputs, and avoid su -c when possible.
Claude Code safety or confirmation prompts may be accepted without the user seeing the exact action being approved.
The runner broadly detects confirmation-like text and automatically sends yes to the PTY.
if b'Do you want to' in output or b'proceed' in output.lower() or b'continue' in output.lower(): ... os.write(master_fd, b'y\n')
Require explicit user approval for file writes, command execution, installs, deletes, or other high-impact actions; at minimum, restrict auto-approval to exact low-risk prompts.
A mistaken or manipulated Claude Code run can silently spread unwanted edits across the user's real project files.
On successful exit, changes generated in the temporary copy are automatically propagated back to the original project.
if exit_code == 0:
print(f"[INFO] Syncing changes back to original directory...", file=sys.stderr)
_sync_changes(temp_workdir, workdir)Sync only after showing a diff and getting user approval; use backups or version control, and allow users to limit which files can be written back.
The runner can operate under the privileges and local Claude Code account context of the selected system user.
The skill explicitly requires elevated local privileges so it can switch users while running Claude Code.
Root or sudo access (for user switching)
Run it only as a dedicated least-privilege user, avoid running as root, and ensure sudo/user-switching access is tightly controlled.
Users may install code that differs from the reviewed artifact if the upstream repository changes.
The installation instructions clone a live external repository without a pinned commit or checksum.
git clone https://github.com/lhl09120/claude-code-runner-en.git
Pin installation to a reviewed commit or release and verify the downloaded files before use.