Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Claude CLI Proxy
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The proxy mostly does what it says, but it uses your Claude subscription in a persistent local service and recommends persistent global Claude Code instructions that can affect future sessions.
Review before installing. Use this only if you intend full OpenClaw prompts and recent history to go through Claude Code/Anthropic, avoid blindly overwriting ~/.claude/settings.json, and enable autostart only if you understand how to disable it later.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Future Claude Code sessions may keep following this OpenClaw identity/instruction setup, and existing Claude Code settings could be lost.
Why it was flagged
The setup writes persistent global Claude Code instructions rather than a narrowly scoped proxy setting, and the shell redirection would overwrite the existing settings file.
Skill content
cat > ~/.claude/settings.json ... "customInstructions": "You are [YOUR_AGENT_NAME]... Always respond as [YOUR_AGENT_NAME]. This is not roleplay"
Recommendation
Do not blindly overwrite ~/.claude/settings.json; back it up, merge only the needed settings, prefer project-scoped configuration, and remove the custom instruction when no longer needed.
What this means
Agent instructions, memory, identity files, or other private prompt context may be saved in the workspace and sent to Anthropic.
Why it was flagged
The skill clearly discloses that full system context is stored locally and transmitted through Claude Code; this is purpose-aligned but sensitive.
Skill content
Privacy note: System prompt content is written to `.ccproxy-system-context.md` in the workspace and sent to Anthropic on each request... persists on disk between requests.
Recommendation
Use this only if you are comfortable sending the full OpenClaw context through Claude Code, and protect or delete the `.ccproxy-system-context.md` file if it contains sensitive information.
What this means
Local requests to the proxy can consume your Claude subscription capacity and operate through your Claude Code login.
Why it was flagged
The proxy intentionally uses the local Claude Code account/session instead of an API key; this is expected for the stated purpose but is account-level authority.
Skill content
Claude Code CLI installed and authenticated with a subscription (Team/Max/Pro) ... Token refresh: Claude Code handles OAuth token refresh automatically
Recommendation
Install only for accounts you intend to use this way, keep the proxy bound to localhost, and monitor Claude subscription usage and rate limits.
Medium
What this means
The proxy may continue running after login or during heartbeat cycles and remain available to local processes.
Why it was flagged
The artifact documents optional persistence mechanisms that keep the proxy running or restart it automatically.
Skill content
<key>KeepAlive</key><true/> ... Restart=always ... Add to HEARTBEAT.md so the proxy is checked every heartbeat cycle
Recommendation
Enable autostart only if needed, document how to disable it, and unload the LaunchAgent/systemd service when you stop using the proxy.
What this means
Running the proxy gives the script the ability to invoke local Claude/acpx commands under your user account.
Why it was flagged
The proxy runs the acpx/Claude CLI as its backend. This command execution is central to the skill, but it means the reviewed script becomes an execution bridge to local CLI tooling.
Skill content
execFile('acpx', ['claude', 'prompt', '-s', SESSION_NAME, prompt]Recommendation
Review the scripts before running them, keep session names simple, and prefer sanitized execFile-style calls for all variable command arguments.
What this means
You will run globally installed third-party CLI packages on your machine.
Why it was flagged
The setup uses global, unpinned npm installs. This is normal for the integration, but it leaves package provenance and version selection to the user's environment.
Skill content
npm install -g @anthropic-ai/claude-code acpx
Recommendation
Install from trusted sources, consider pinning known-good versions, and keep the CLI packages updated.