Clawshell
PassAudited by ClawScan on May 10, 2026.
Overview
ClawShell is a disclosed shell-approval wrapper, but this artifact set is instruction-only, so users should verify the missing implementation and understand what command data is sent or logged.
Before installing, verify the actual ClawShell code and dependencies because this submission only includes instructions. If you use it, configure dedicated notification tokens, review the default risk rules, and check what command details are sent to push notifications or stored in logs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent's shell actions will depend on this wrapper's risk classification, and commands classified as medium or low may run without push approval.
The skill intentionally redirects all shell execution through its wrapper. This is central to the stated security purpose, but it gives the wrapper broad influence over what shell commands run.
Use `clawshell_bash` for ALL shell command execution. Do not use `bash` directly.
Use it only if you want all shell access routed through this tool, and review or customize the allowlist, blocklist, and risk rules before relying on it.
The clean static scan does not validate the actual shell wrapper or approval logic, because no code was available to scan.
The artifacts describe Node/npm setup and ClawShell tools, but the supplied package contains no implementation files or dependency lockfile to inspect.
No install spec — this is an instruction-only skill. No code files present — this is an instruction-only skill.
Verify the package contents, source, package.json, lockfile, and tool implementation before installing or trusting it as a security control.
If these tokens are mishandled, someone could potentially send notifications through the configured Pushover app or disrupt the approval workflow.
The skill requires Pushover credentials to send approval notifications. This is expected for the stated purpose, but it is still credentialed access to an external notification account.
env: ["CLAWSHELL_PUSHOVER_USER", "CLAWSHELL_PUSHOVER_TOKEN"]
Use a dedicated notification app/token, keep the credentials out of logs and prompts, and revoke or rotate them if the skill is removed or compromised.
Approval notifications may reveal command or task context to the configured notification provider, depending on the implementation.
The approval flow uses an external push-notification provider. The artifact does not specify exactly what command or context data is included in those notifications.
High-risk commands will block until you approve or reject via push notification.
Verify what data is sent in push messages, avoid putting secrets directly in shell commands, and use a notification provider/account you trust.
Past command activity may remain available to later agent sessions or anyone with access to the log directory.
The skill persists audit decisions locally and exposes recent log entries through clawshell_logs. Persistent command-decision history can become sensitive if it includes command text or paths.
All decisions are logged to `logs/clawshell.jsonl`
Check the log contents, configure log location and retention appropriately, and avoid logging secrets or sensitive command arguments.