CHC - Claw Help Claude

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Claude Code session-management skill, with cleanup commands that users should run carefully.

Install this only if you want OpenClaw to manage Claude Code sessions. Use narrow project directories, review Claude Code permissions before launching sessions, avoid placing secrets in prompts, and back up or rename config/session files before running cleanup or reset commands.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the operator to delete a configuration file with `rm ~/.acpx/config.json` as a troubleshooting step, but provides no warning, backup guidance, or validation step first. Even though the path is specific rather than wildcarded, it is still a destructive action affecting persistent user configuration and could cause loss of settings or service disruption if followed blindly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The clean command permanently deletes session JSON files based solely on age, with no confirmation prompt, dry-run mode, or recycle/quarantine behavior. In a session-management utility that operates on user history under ~/.claude/sessions, accidental invocation or misuse can cause irreversible loss of conversation data and workflow state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal