ClawHub

Awesome Remote Control

Security checks across malware telemetry and agentic risk

Overview

This skill is openly a remote-control launcher, but it starts persistent Claude sessions with permission checks and workspace trust prompts bypassed.

Install only if you intentionally want agents to create remotely controllable Claude Code sessions that skip normal permission checks. Use it only in trusted directories, treat session URLs and resume UUIDs as secrets, review the ~/.claude.json trust change, and stop sessions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly enables shell execution, file reads/writes, and persistent session management, yet it declares no permissions. That omission weakens user awareness and policy enforcement, especially because the documented behavior includes launching tmux sessions, maintaining registries, and interacting with Claude state files. In context, the hidden capability surface makes a high-risk remote-control skill more dangerous, not less.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The declared purpose understates the true scope of the skill. Beyond starting sessions, it can send arbitrary tasks into existing sessions, stop sessions, enumerate metadata, persist a registry, and pre-seed workspace trust in ~/.claude.json, which materially expands its control and persistence capabilities. In this context, the mismatch is dangerous because users may invoke a seemingly simple startup skill without realizing it also enables command-and-control style interaction and local state modification.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The helper exposes functionality to modify ~/.claude.json and mark workspaces as trusted, which exceeds the stated purpose of merely managing remote sessions. In this skill context, silently altering trust state weakens an important safety boundary and can enable later dangerous operations in a workspace without the usual user confirmation.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The implementation does more than the manifest implies: it captures resume UUIDs from local Claude project files and supports persistent state changes beyond starting sessions. In a remote-control skill that already uses bypass permissions, this hidden expansion of capability is risky because it enables session persistence and continuation workflows the user may not expect.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script explicitly calls `registry.py trust-workspace "$WORKDIR"` before launching the remote-control session, which changes the trust state of an arbitrary directory as a side effect. In the context of a remote-control launcher that also uses `--dangerously-skip-permissions`, automatically trusting a workspace lowers safety boundaries and can cause subsequent operations in that directory to run with less scrutiny than the user may expect.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation wording is broad enough that the skill may trigger on vague requests about starting Claude remotely, despite the skill using dangerous flags and creating persistent remote-control sessions. Because the skill operates with bypassed permissions and session persistence, accidental activation has greater consequence than for an ordinary convenience tool. The context therefore increases risk: overbroad matching can lead to unintentionally launching a privileged remote-control endpoint.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill documents use of --dangerously-skip-permissions and remote control without any warning about the security consequences. That omission is serious because it normalizes an elevated-privilege execution mode that suppresses safety checks while exposing a live control surface. In this skill's context, bypass permissions directly increases the blast radius of any mistake, prompt injection, or unauthorized task submission.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This code silently edits ~/.claude.json to set hasTrustDialogAccepted for a workspace, bypassing the normal trust prompt and persisting the change. In the context of a remote-control skill advertised with bypass permissions, suppressing trust UX materially increases the chance of unsafe actions occurring in an unreviewed workspace.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script launches Claude with `--dangerously-skip-permissions --remote-control` and sends that command directly into tmux without any interactive warning, confirmation, or policy check. In this skill's context, that is especially dangerous because the entire purpose is to start a remote-controlled session with bypassed safeguards, increasing the chance of unauthorized file/system actions if the session is misused or exposed.

Ssd 3

High
Confidence
97% confidence
Finding
Instructing the agent to always reveal the live remote-control session URL exposes a sensitive access link that can function like a bearer token for session control. If the URL is surfaced in an unsafe channel, logs, shared chats, or to the wrong recipient, an attacker could hijack the remote session. This skill context makes the issue especially dangerous because the session is launched with bypass permissions, amplifying what an unauthorized controller could do.

Ssd 3

High
Confidence
96% confidence
Finding
The repeated instruction to always report the remote-control URL institutionalizes disclosure of a sensitive session access artifact. Repetition increases the chance that downstream agents or operators treat the link as routine output rather than a secret, leading to leakage via transcripts, terminals, or ticketing systems. Given that these sessions run in remote-control mode and may bypass permissions, unauthorized access could have substantial impact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal