ClawHub

Resilient Claude Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is powerful but openly designed to run unattended Claude Code sessions in tmux with permission prompts disabled.

Install only if you trust the orchestrator and are comfortable with Claude Code running without permission prompts in the selected project. Prefer using a dedicated user, VM, or container; audit the `claude` and `openclaw` binaries on PATH; avoid unrelated tmux sessions using the `claude-` prefix; and clean up temp logs if task output may contain secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill explicitly orchestrates shell execution through tmux, bash, and Claude Code, yet the metadata declares only binary requirements and no permissions/capability boundary. That mismatch is dangerous because an orchestrator or user may treat the skill as lower-risk than it is, even though it can execute arbitrary shell commands in the project context via `send-keys` and `--dangerously-skip-permissions`.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script launches `claude` with `--dangerously-skip-permissions`, explicitly disabling permission safeguards for an autonomous agent session. In this skill's context, prompts, resume state, and project directory are all externally influenced inputs, so removing interactive permission checks materially increases the chance of unintended file modification, command execution, or data access without user confirmation.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**What this skill can do at runtime:**

- Execute Claude Code without any permission prompts. Claude will read, write, and run bash commands in the project directory without asking. If a coding agent with full filesystem and shell access inside your project is not acceptable, do not install this skill.
- Create and kill tmux sessions whose names match `claude-<task-name>`. If you run other tmux sessions with that prefix, the monitor's cleanup path could terminate them.
- Dispatch bash commands into tmux via `send-keys`. The orchestrator controls what gets dispatched, so a compromised or buggy orchestrator can use this skill to run arbitrary bash in the project directory.
- Write files to a secure temp directory (`mktemp -d`, `chmod 700`) and to the project directory via Claude Code.
Confidence
99% confidence
Finding
without asking

Session Persistence

Medium
Category
Rogue Agent
Content
Use the active monitor script for every task. The monitor runs continuously with configurable intervals and handles its own timing -- no cron or external scheduler needed.

```bash
nohup bash <skill-dir>/scripts/monitor.sh claude-<task-name> "$TMPDIR" \
  >"$TMPDIR/monitor.log" 2>&1 &
```
Confidence
93% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
6. Launch Claude Code with wrapper (PID capture + manifest updates + done-file protocol)
7. Verify pipe-pane is capturing output (`ls -la $TMPDIR/output.log`)
8. Notify user: task content, session name (`claude-<task-name>`), model used
9. Launch monitor: `nohup bash <skill-dir>/scripts/monitor.sh claude-<task-name> "$TMPDIR" >"$TMPDIR/monitor.log" 2>&1 &` (mandatory for every task; `nohup` ensures the monitor survives parent shell exit)

## Limitations
Confidence
92% confidence
Finding
nohup

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal