ClawHub

Claude Code Control

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it gives broad terminal and screen-control power with weak safeguards around command injection, trust approvals, screenshots, and saved session logs.

Install only if you are comfortable granting a Node package macOS Accessibility-level control over Terminal and allowing it to capture screenshots and session logs. Use it only in trusted project directories, avoid terminals that show secrets or customer data, do not pass untrusted project paths or long command text, and review or disable saved recordings when handling private repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The API advertises sending commands to a Claude Code session, but instead interpolates the provided command into a shell string and executes it directly with execSync. This is dangerous because callers may trust the abstraction and pass agent-generated or untrusted text expecting Claude Code mediation, while the implementation grants direct shell execution in the target workspace.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The module documentation frames this as a Claude Code control interface, but the implementation silently auto-approves the folder trust prompt. That hidden behavior weakens a meaningful security boundary and can cause users or higher-level agents to operate under false assumptions about when trust is being granted.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The code claims to wait for readiness, but instead uses fixed sleeps and blindly sends approval keystrokes. This can cause input to be delivered to the wrong prompt or state, accidentally approving security-sensitive dialogs or issuing unintended commands to the controlled process.

Context-Inappropriate Capability

High
Confidence
93% confidence
Finding
This test script launches and programmatically controls an external Claude Code session, then sends shell-like commands and persists a session recording. In an agent-skill context, process/session control is a powerful capability that can be repurposed to run arbitrary commands, interact with sensitive workspaces, and capture outputs or screenshots, especially because the controlled session is pointed at a real user directory path.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README prominently advertises screenshot capture and session recording of a visible Terminal window but does not clearly warn that terminal contents may include secrets, credentials, tokens, source code, customer data, or other sensitive on-screen material. In the context of an agent skill that automates another coding agent, this omission is riskier because automated runs can capture and persist sensitive data at scale without the user fully appreciating the privacy implications.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README instructs users to grant macOS Accessibility permissions to Terminal.app and Script Editor without explaining that these permissions enable broad UI automation, keystroke injection, window control, and potential interaction with other applications. In this skill's context, that is especially dangerous because the package is explicitly designed to drive a terminal like a human, so the granted permissions materially increase the blast radius of misuse or compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly advertises screenshots and full session recording with timestamped logs, but it does not clearly warn that terminal contents may include secrets, source code, credentials, API keys, or other sensitive material. Because the skill automates an interactive terminal tied to Claude Code sessions, the captured artifacts can persist sensitive data to disk and increase the likelihood of unintended disclosure or later exfiltration.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill uses macOS Accessibility permissions and synthetic keystrokes to drive Terminal and execute commands, which gives it powerful GUI-level control over a user's system. While the document mentions the permissions in requirements, it fails to present this as a security risk or warn that command injection, focus hijacking, or unintended keystrokes could cause arbitrary command execution in the visible terminal context.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code waits briefly and then writes input to automatically select 'Yes, I trust this folder' without any user disclosure or consent. Auto-approving trust defeats the purpose of the prompt and may expose users to unsafe workspace behavior, especially when opening untrusted repositories or generated project paths.

Missing User Warnings

High
Confidence
99% confidence
Finding
The send function executes arbitrary shell commands in the project directory using execSync and provides no warning, confirmation, or restriction on what may be run. In an agent skill context, this is especially dangerous because natural-language or model-produced commands can become direct code execution, enabling filesystem modification, credential theft, or destructive operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill records full stdout/stderr and commands into an in-memory session log and can persist that log to disk, which may capture secrets, credentials, proprietary code, or sensitive prompts without any warning, consent flow, redaction, or access control. In an agent skill that drives an interactive coding tool, session output is especially likely to contain sensitive repository contents and tokens.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code automatically approves a detected security/trust prompt by sending input that indicates the folder is trusted, bypassing the user's explicit security decision. This defeats a built-in safeguard and can cause the agent to operate in an untrusted project context where malicious repository content, hooks, or configuration may influence subsequent actions.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill automatically answers an interactive security approval prompt (`1` and confirmation) without any user review or consent. That bypasses an important safety control and could grant the spawned tool access or permissions the operator did not intend to approve, especially dangerous because this skill is explicitly designed to drive an interactive coding agent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill includes a dedicated function that automatically approves Claude Code's security trust prompt by typing '1' and pressing Enter, with no explicit user confirmation or policy check. This defeats an important security boundary and could grant a launched session trusted access to an arbitrary folder, increasing the risk of unintended code execution, data exposure, or destructive actions in sensitive directories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The screenshot helper captures either the Terminal window or the entire screen if window bounds cannot be determined, and it does so without any user consent flow, redaction, or minimization. Because the skill is designed to control a visible desktop session, screenshots can easily contain secrets from terminal output, other applications, notifications, or authentication flows, making the fallback to full-screen especially risky.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This test performs shell execution that creates directories and files without any interactive warning, confirmation, or safety guard. Even though it uses a timestamped /tmp path and appears intended for testing, silent filesystem mutation is dangerous in an agent skill because it normalizes side effects and could be repurposed or expanded to write outside safe locations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code runs a shell command in a hard-coded external workspace under a user-specific path and activates a virtual environment before executing pytest. In an agent context, undisclosed execution against an external project can trigger arbitrary project hooks, imports, test fixtures, or plugin code, leading to unintended code execution, data exposure, or modification of a real environment.

Ssd 3

Medium
Confidence
91% confidence
Finding
The session log records raw commands and screenshot paths, and other parts of the skill capture screenshots during launch, send, and verification flows. In this context, those artifacts may include credentials, tokens, project secrets, private source code, or login state, and saving them to disk as a session recording increases the chance of later disclosure or misuse.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
session.outputBuffer.includes('Trust')) {
        clearInterval(checkReady);
        
        // Auto-approve: send "1" for "Yes, I trust this folder"
        console.log(`[CC-${sessionId}] ✅ Security prompt detected, auto-approving...`);
        session.proc.stdin.write('1\n');
Confidence
93% confidence
Finding
Auto-approve

Session Persistence

Medium
Category
Rogue Agent
Content
}

/**
 * Save session to file
 */
async function saveSession(sessionId, filepath) {
  const session = sessions.get(sessionId);
Confidence
81% confidence
Finding
Save session to file

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal