critical
suspicious.dangerous_exec
- Location
- handler.js:5
- Finding
- Shell command execution detected (child_process).
Claw Shell Hardened
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A command that looks like it is being sent to tmux could execute locally in the OpenClaw process shell first, bypassing the intended session boundary and some safety checks.
Why it was flagged
The command string is interpolated into a shell command with only double quotes escaped. Shell expansions such as $() or backticks can be evaluated by the parent shell before tmux receives the text, contradicting the promise that commands run inside only the `claw` tmux session.
Skill content
const escaped = cmd.replace(/"/g, '\\"');
execSync(`tmux send-keys -t claw "${escaped}" C-m`);Recommendation
Use execFileSync or spawn with an argument array, for example calling tmux directly with separate arguments, so command text is not interpreted by an intermediate shell.
What this means
The agent may be able to run high-impact shell actions without the approval or containment users would expect from the safety text.
Why it was flagged
The tool accepts an arbitrary command string and only blocks a small set of literal substrings. Documented dangerous examples such as `docker system prune -a`, `chmod -R`, outbound uploads, obfuscated commands, or alternate delete forms are not reliably gated by the handler.
Skill content
const bad = ["sudo", " rm ", " rm-", "reboot", "shutdown", "mkfs", "dd "]; ... sendCommand(command);
Recommendation
Add explicit user-approval plumbing for high-impact operations, enforce documented network-exfiltration and destructive-command rules in code, and prefer allowlisted workflows for common safe operations.
What this means
Outputs from earlier shell activity could be returned to the agent unexpectedly, potentially leaking sensitive data or confusing the agent with stale terminal content.
Why it was flagged
The handler returns the last 200 lines of the persistent tmux pane rather than only the output of the current command. That pane history can contain prior commands, secrets, or stale instructions.
Skill content
const buf = execSync('tmux capture-pane -t claw -p -S -200');
return buf.toString("utf8");Recommendation
Clear or delimit the pane before each command, use unique start/end sentinels, and return only the output generated for the current invocation.
What this means
Commands or background processes may continue in the tmux session beyond the immediate request.
Why it was flagged
The persistent tmux session is disclosed and purpose-aligned, but it can keep shell state or long-running processes alive after a single tool call.
Skill content
Attach to tmux session `claw` (create it if missing: `tmux new -s claw -d`).
Recommendation
Monitor the `claw` tmux session, stop long-running processes when done, and consider adding a cleanup or session-reset command.
What this means
Users have less context for who maintains the skill or where to verify updates.
Why it was flagged
The artifacts include the handler source, but the package has limited external provenance information for a high-impact shell-execution skill.
Skill content
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Recommendation
Install only after reviewing the included handler and prefer a version with a declared upstream source and documented runtime requirements.