Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Tmux

v1.3.0

Run coding tasks using a persistent tmux session with git worktree isolation. Supports multiple coding agents (Claude Code, Codex, CodeBuddy, OpenCode, etc.)...

⭐ 0· 52·0 current·0 all-time

by@yuanshenstarto

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The skill is described as a tmux+git-worktree orchestration helper, which matches the SKILL.md intent. However the registry metadata declares no required binaries or env vars while the runtime instructions clearly require git, tmux, Node/nvm, and one or more external coding-agent CLIs (claude, codex, opencode, codebuddy, etc.). That mismatch is incoherent: a skill that runs external CLIs should list those as required.

Instruction Scope

SKILL.md instructs the agent to create/kill tmux sessions, add/remove git worktrees, symlink the project's .env and .env.local into task worktrees, send keystrokes into interactive CLIs, capture panes, and even auto-send 'y' to prompts. These actions grant access to repository files and any secrets in .env, and run arbitrary CLI processes that could exfiltrate data. The file-write instruction (save preferred agent to MEMORY.md) and the explicit recommendation to use '--dangerously-skip-permissions' broaden the scope in ways that are not justified by the metadata.

ℹ

Install Mechanism

This is instruction-only (no install spec or code files), which reduces installer risk. The README suggests 'npx clawhub@latest install ...' or cloning a GitHub repo, but there is no formal install specification in the registry. That's a minor inconsistency but not itself malicious.

Credentials

Declared required env vars/binaries are empty, yet the instructions require access to .env/.env.local (symlinking them into worktrees), plus git/tmux/node/nvm and external agent CLIs. Symlinking .env exposes local secrets to the spawned agent processes. The skill asks to persist a preference to MEMORY.md (file-write) but does not declare any config path permissions. Overall, requested and implied environment access is broader than the declared requirements.

ℹ

Persistence & Privilege

The skill does not set always:true (good). It relies on the agent to run external processes and persist per-task branches/sessions, which is consistent with its purpose. However, combined with autonomous invocation (platform default) and the ability to run arbitrary CLIs and access .env files, this increases the practical blast radius if misused — consider restricting autonomous execution or running in an isolated environment.

What to consider before installing

This skill does what it says (orchestrates tmux + git worktrees) but has several red flags you should consider before installing or using it: 1) Metadata omission — the registry claims no required binaries/env vars, yet the instructions require git, tmux, Node/nvm, and external coding-agent CLIs; ask the author to correct the metadata. 2) Secrets exposure — the skill explicitly tells you to symlink your project's .env/.env.local into task worktrees; that gives any spawned agent process direct access to credentials/API keys. Avoid symlinking secrets unless you trust the agent CLI absolutely; prefer sanitized envs or run tasks in an isolated container/VM. 3) Dangerous flags and automated responses — the recommended '--dangerously-skip-permissions' flag and auto-sending 'y' to prompts can bypass safeguards; investigate what that flag does for the specific agent CLI (claude). 4) Persistent files — the skill writes preferences to MEMORY.md; review that file and where memory is stored. 5) Run in isolation — if you try it, run it in a disposable environment (container, VM, or throwaway repo) and verify agent behavior before letting it operate on important code or secrets. If you plan to adopt it for regular use, request the maintainer to: (a) declare required binaries and config paths in metadata, (b) remove or make optional the .env symlink step, (c) remove recommendations to bypass permissions, and (d) document exactly what data the agent will see and what the memory persistence does.

Like a lobster shell, security has layers — review code before you run it.

latestvk97emv344wh6mh8yj1e5rj04k183wwms

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Code Tmux

License

Comments