Back to skill

Security audit

Claude Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Claude Code automation tool, but it normalizes unattended high-privilege agent execution and persistent monitoring enough that users should review it carefully before installing.

Install only if you intentionally want OpenClaw to supervise Claude Code for you. Keep notification modes at event-only, avoid summary/full mode for private code, do not use `--auto` or `--dangerously-skip-permissions` except in trusted sandboxed projects, review the added `~/.claude/settings.json` hook, and use the provided stop script to clean up tmux sessions and monitors.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs use of shell commands, writes files such as settings.json and /tmp outputs, and depends on environment variables, yet it declares no explicit permissions. That mismatch prevents meaningful consent and review, and can cause the agent platform to under-enforce risky capabilities the skill actually uses.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The description frames the skill as a project-management wrapper for Claude Code, but the body also enables external notifications, OpenClaw agent wakeups, approval-state monitoring, and publishing-related behaviors not disclosed up front. Hidden or under-disclosed outbound communication and orchestration increase the chance that task data, prompts, or session metadata are sent to external systems without informed consent.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The workflow recommends print mode with --dangerously-skip-permissions and treats automatic approval as a normal operating mode, while a later rule says to use it only when explicitly requested. This directly weakens user oversight and allows unrestricted code execution, file changes, and tool use in a skill designed to orchestrate another agent, substantially increasing the blast radius of mistakes or prompt-injection-driven actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
In auto mode, the script launches `claude --dangerously-skip-permissions`, explicitly disabling permission checks for an interactive coding agent. In this skill context, the tool is designed to execute and iterate on project tasks through tmux automation, so removing approval gates materially increases the chance of unintended or unsafe file/system actions without human review.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The prompt library explicitly recommends using `claude -p --dangerously-skip-permissions`, which disables an important safety boundary and enables unattended execution without normal permission checks. In the context of a project-manager/orchestration skill that drives an interactive CLI and supports asynchronous execution, documenting this as a standard pattern materially increases the chance of high-impact filesystem, shell, or network actions being run without review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README states that task events are always sent to Telegram and that users can optionally enable reply summaries, but the user-facing invocation examples do not foreground that work metadata and potentially task content may be transmitted to a third-party messaging service. In a skill designed to handle coding tasks against local projects, users may paste sensitive paths, code context, or business requests without realizing external notification flows are part of the default workflow, creating avoidable privacy and confidentiality exposure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill routes completion and approval events to Telegram/OpenClaw and includes examples of session data such as cwd, transcript path, permission mode, and last assistant message, but it does not present a clear user-facing privacy notice or data-minimization guidance. That can expose sensitive project metadata or content to third-party messaging systems unintentionally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill normalizes dangerous permission skipping and broad auto-approval without adequately warning that this can authorize arbitrary shell commands and persistent file/system changes. In context, this skill is specifically meant to drive an interactive coding agent, so removing approval gates makes accidental or injected harmful actions much more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The hook can send conversation-derived summary content to an external messaging channel, which creates a real data exfiltration/privacy risk if Claude output contains secrets, internal code details, or sensitive prompts. The risk is amplified because this is an automated hook that runs on turn completion, so transmission can occur without an explicit per-event user confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hook wakes an external agent and includes a transcript path and optionally a summary, which can expose sensitive conversation content or enable further access to transcripts by another system/component. In the context of an agent-orchestration skill that automatically coordinates tools and asynchronous wakeups, this cross-component data sharing is more dangerous because it broadens the trust boundary and may happen silently.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The monitor reads interactive tmux pane content and can include approval details such as tool name and command in outbound notifications or agent messages. Because pane contents may contain sensitive commands, paths, prompts, or data, transmitting them to external channels without explicit user disclosure or strict minimization can leak confidential information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script exposes a dangerous permission-bypass mode using only the flag name as warning, with no interactive confirmation or policy acknowledgement. Because this skill is meant to orchestrate Claude Code as a project-management automation tool, users may invoke `--auto` expecting convenience and unintentionally grant the agent unrestricted execution behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation explicitly advertises `--dangerously-skip-permissions` as a way to bypass all tool approval prompts, but it does not pair that with a prominent warning explaining the security consequences. In the context of this skill, which orchestrates an interactive coding agent with shell access, hooks, and asynchronous execution, normalizing permission bypass materially increases the chance of unsafe command execution without user review.

Missing User Warnings

Low
Confidence
80% confidence
Finding
The MCP configuration example includes an `API_KEY` environment variable placeholder but does not warn that credentials are sensitive and must not be hardcoded, committed, or exposed in logs. In an agent skill that may be copied directly by users, this can encourage insecure secret handling and accidental credential leakage to repositories, subprocesses, or monitoring tools.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The markdown presents auto-execution examples using a dangerous permission-bypass flag without any warning about the loss of safeguards or the possibility of destructive actions. Because this skill is designed to orchestrate Claude Code operations via tmux/hooks and task automation, normalizing such examples can lead operators to copy unsafe commands into real workflows, amplifying the risk of unintended system changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The reference includes a ready-to-copy example using `--dangerously-skip-permissions` without any warning, safeguards, or explanation of the trust boundary. In this skill's context, which is explicitly designed to orchestrate Claude Code for autonomous task execution via tmux, hooks, and asynchronous wakeups, normalizing permission bypass makes unsafe execution materially more likely and weakens a key defense against destructive or over-broad tool use.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly reads `~/.claude/settings.json`, which can contain user-specific configuration, tokens, endpoints, hooks, or other sensitive local settings, yet it provides no warning, minimization, or redaction guidance. In a skill that centralizes knowledge updates, this increases the chance that private configuration data is copied into temporary files, logs, diffs, or reports beyond what is necessary.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The workflow explicitly instructs use of `claude -p --dangerously-skip-permissions`, which bypasses normal safety/approval controls for an agent that can operate on project files and run in the background. In this skill context, that is materially dangerous because the whole workflow is designed to execute delegated tasks via tmux/hooks, so a bad prompt, compromised context, or operator mistake could lead to unrestricted file or command actions without an interactive permission checkpoint.

Ssd 3

Medium
Confidence
95% confidence
Finding
Reading the local Claude settings file during a knowledge update can expose secrets, internal endpoints, filesystem paths, hook commands, and other private configuration unrelated to the update objective. Because this skill operates as a project-manager-style agent that may monitor, diff, report, and persist outputs, the surrounding context makes accidental propagation of sensitive settings more likely.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# 后台执行,Stop hook 完成后自动唤醒
nohup claude -p --dangerously-skip-permissions --model claude-sonnet-4-6 "<prompt>" > /tmp/claude_output.txt 2>&1 &
```

附加选项:
Confidence
90% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
### pane_monitor.sh(tmux 输出监控)

**启动**:`nohup bash <skill_dir>/hooks/pane_monitor.sh <tmux-session> &`

**检测**:每 5 秒扫描 tmux pane 输出,匹配 Claude Code 权限提示关键词
Confidence
88% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
# 方式 A:print 模式(简单任务)
nohup claude -p --dangerously-skip-permissions --model claude-sonnet-4-6 "<prompt>" > /tmp/claude_output.txt 2>&1 &

# 方式 B:交互模式(复杂任务)
# 创建 tmux session
Confidence
86% confidence
Finding
nohup

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.