ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claude Code Delegate

Delegate programming tasks to Claude Code CLI

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 263 · 0 current installs · 0 all-time installs
by@chenhab03
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match its instructions: it delegates programming tasks to a local Claude Code CLI. However, the top-level registry metadata provided to you (which showed no required binaries/env) contradicts the embedded _meta.json/README/SKILL.md that explicitly require the 'claude' CLI and an ANTHROPIC_API_KEY or logged-in 'claude' session. That mismatch is an incoherence that should be resolved before trusting the skill.
!
Instruction Scope
SKILL.md instructs the agent to run shell commands (cd && claude -p ...) and to use --permission-mode bypassPermissions which grants broad filesystem read/write. The skill does include strong warnings and a recommended write-guard plugin, but the write-guard is only 'strongly recommended' not enforced. The instructions also require the agent to execute background processes and to poll them later — this is operationally complex and easy to mis-use (e.g., launching tasks against sensitive directories). Overall the runtime instructions permit actions that can read/modify any file on disk if the user omits the write-guard or runs in an unsafe directory.
Install Mechanism
This is instruction-only (no install spec) which keeps disk write risk low, but the README and SKILL.md instruct users to install the Claude Code CLI via npm (npm install -g @anthropic-ai/claude-code). The absence of a formal install spec in the skill registry is an inconsistency: the agent's environment may not have the CLI and the skill relies on that external install step.
!
Credentials
Requesting an Anthropic/Claude API key (or a logged-in 'claude' CLI) is proportionate to the claimed purpose. The problem is inconsistent declaration: the skill files and README expect ANTHROPIC_API_KEY and the 'claude' binary, but the top-level metadata provided earlier listed none. Also the guidance to run with --permission-mode bypassPermissions effectively requires broad filesystem access for the delegate — that level of privilege is plausible for a code-writing tool but is high-risk unless protected by an enforced guard. The mismatch in declared vs actual required credentials is the main proportionality issue.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable, which is appropriate. It recommends adding a write-guard plugin that hooks into platform events (before_tool_call) — creating such a plugin modifies platform behavior, which is reasonable for enforcing safety but does require elevated configuration access. Nothing in the skill tries to persist credentials or reconfigure other skills automatically, but the recommended guard itself needs to be installed by a human operator.
What to consider before installing
This skill appears to do what it says (delegate code work to a local Claude Code CLI) but there are red flags you should address before using it: - Clarify metadata: the skill's files expect the 'claude' CLI and an ANTHROPIC_API_KEY, but the provided top-level registry metadata listed none. Ask the author to fix the manifest so required binaries/env are declared correctly. - Run in an isolated project directory first. Do not run the delegate from your home directory or against repos containing secrets or platform config. - Install the Claude Code CLI and confirm authentication manually (claude --version and claude login) before delegating. - Implement the write-guard BEFORE using the delegate. The skill recommends a plugin that blocks writes to OpenClaw/platform config — install such a guard and test it thoroughly. If you can't or won't install the guard, do NOT use --permission-mode bypassPermissions. - Consider adding an explicit install spec or verifying the npm package origin before installing (@anthropic-ai/claude-code). Prefer official releases and check checksums if possible. If you cannot verify these points or the author does not correct the manifest inconsistency, treat the skill as risky and avoid running it on machines with sensitive files or credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.1
Download zip
latestvk97byg29fm37jdd1a5p6st6drh82860f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Claude Code Delegate

Delegate programming tasks to local Claude Code CLI.

RULE: You NEVER write code directly. ALL programming goes through claude -p.

Prerequisites Check (Run Before First Use)

Before delegating any task, verify the environment is ready:

  1. Claude Code CLI installed: Run which claude — if not found, tell user: npm install -g @anthropic-ai/claude-code
  2. API key configured: Run claude --version — if it errors about auth, tell user to run claude and complete login
  3. Write-guard active (STRONGLY RECOMMENDED): Check if a write-guard plugin exists at .openclaw/extensions/write-guard/. If not, warn the user:

    ⚠️ No write-guard detected. The delegate uses --permission-mode bypassPermissions which grants full filesystem read/write access. It is strongly recommended to set up a write-guard plugin before running tasks. See README.md for setup instructions.

Only proceed with delegation after items 1 and 2 pass. Item 3 is a warning — the user may choose to proceed without it, but should be informed of the risk.

When to Trigger

Auto-trigger on ANY of these:

  • Write, modify, refactor, debug code
  • Create project files or directories
  • Run tests, lint, build
  • Code review, architecture planning
  • Edit any file (except memory/ and .relationship/)

Manual trigger: user sends /code <task>

Do NOT trigger: chat, emotional interaction, information lookup.

Command Template

cd "<project_dir>" && claude -p "<task_description>" --output-format text --max-turns 10 --permission-mode bypassPermissions

Parameters

ParamPurposeRequired
-pNon-interactive modeYes
cd "<dir>" &&Set working dir (no --cwd flag exists)Yes
--output-format textPlain text outputRecommended
--max-turns 10Limit execution roundsRecommended
--permission-mode bypassPermissionsAuto-accept file edits (requires write-guard, see Prerequisites)Recommended
--continueResume previous session (for debugging/iteration)When fixing bugs in same project

FORBIDDEN: --dangerously-skip-permissions

Timeout

Set exec timeout to 300 (5 minutes). The delegate needs time to write code.

Async Flow (CRITICAL)

The delegate MUST NOT block you. You must remain responsive to the user at all times.

Correct Flow

Step 1: exec claude -p "..."          → get session ID (e.g. "marine-sage")
Step 2: IMMEDIATELY reply to user     → "On it! Working on that now."
Step 3: END your turn                 → do NOT use any more tools
Step 4: When user sends next message  → check with: exec "process poll marine-sage --timeout 1000"
Step 5: If done → relay results. If not done → tell user "still working", continue chat

WRONG (causes blocking)

exec claude -p "..." → process poll → (BLOCKED! user waits with no response)

Rules

  1. After exec claude -p, you MUST reply to user and END your turn. No more tool calls.
  2. NEVER use process tool directly. Use exec "process poll <id> --timeout 1000" on next user message.
  3. Only check the delegate's status when the user sends a NEW message.
  4. You can run multiple claude -p tasks in parallel.

Task Description Rules

  1. Clear objective: what to do, which file
  2. Provide context: function names, error messages, expected behavior
  3. Specify constraints: language, framework, code style
  4. One task per call

Debugging / Iteration

When user reports bugs in code the delegate previously wrote:

  • Use --continue flag to resume the delegate's session context
  • Same project directory + --continue = the delegate remembers what it wrote
  • Translate user's feedback into clear bug description for the delegate

Testing / Verification (Independent Review)

After the delegate writes code, use a separate fresh session (NO --continue) to test and verify it.

Why: The author has context bias. A fresh session reads the source code independently — like an external code reviewer. This catches issues the author missed.

Flow

Step 1: claude -p "Write X in projects/X/"              → Author session (can use --continue to iterate)
Step 2: claude -p "Run and test projects/X/, report bugs" → Tester session (ALWAYS fresh, NO --continue)

Rules

  1. Author session: writes code, can use --continue to iterate on bugs
  2. Tester session: NEVER uses --continue — must read source fresh
  3. Tester reports: what it ran, output, pass/fail, bugs found
  4. If tester finds bugs → relay to user, then send fix task to author session (with --continue)

When to Auto-Test

  • User says "test it" or "run it" after writing → use fresh session
  • User says "fix the bug" after testing → use --continue on author session
  • User says "run hot_sectors.py" (existing program) → fresh session (no prior context needed)

Session Decision Rule

Scenario--continue?
Fix/iterate on code the delegate just wroteYes
Test/verify code the delegate just wroteNo (fresh session)
Run existing programNo (fresh session)
New project/taskNo (fresh session)

Relaying Results

The delegate does not talk to the user directly. You relay all results.

When relaying:

  1. Summarize what was done and which files changed
  2. Add the delegate's personality (see PERSONA.md for character template)
  3. Add your own reaction

Keep technical summary concise. Do not copy the delegate's full output verbatim.

Error Handling

ErrorAction
command not foundTell user to install: npm install -g @anthropic-ai/claude-code
Empty outputAsk user to clarify the task
TimeoutSuggest breaking into smaller tasks
Permission errorAsk user to check file path
API errorAsk user to run claude to check login status

Failure Rule

If the delegate fails or times out, do NOT write code yourself.

Tell the user: "The coding task didn't finish. Want me to try again?"

Retry with longer timeout or simpler task description. Only write code yourself if user explicitly says "you do it" (not recommended).

Security Best Practices

  1. Always use an isolated project directory — Never run the delegate against your home directory, system config, or repositories containing secrets. Use a dedicated projects/ or workplace/ directory.
  2. Set up the write-guard plugin — This is the most important safety measure. See README.md for the full plugin code. The write-guard blocks writes to platform config files (.openclaw/, LaunchAgents/, auth profiles) at the platform level.
  3. Never use --dangerously-skip-permissions — This flag is explicitly forbidden. --permission-mode bypassPermissions is the correct flag and works with the write-guard.
  4. Restrict to project scope — The cd "<project_dir>" && prefix ensures the delegate operates within the intended directory. Never omit it.
  5. Review delegate output — Always relay results through the main agent. Never let the delegate communicate directly with external services or users.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…