ClawHub

Claude Code Pro

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it deserves Review because it starts persistent Claude Code sessions that skip permission prompts by default.

Install only if you are comfortable with a background Claude Code process acting as your local user. Prefer plan mode where possible, run it only in trusted version-controlled worktrees, avoid sensitive directories, review session output before trusting completion callbacks, and stop sessions when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation exposes `stop.sh --session` and especially `stop.sh --all` as routine commands without cautionary language, confirmation guidance, or scope warnings. In an agentic workflow, this increases the likelihood of accidental termination of active background work, causing denial of service, lost progress, or interruption of unrelated sessions sharing the same environment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script prints the last line of each tmux pane, which may contain recent Claude Code output, prompts, file paths, secrets, or other sensitive workspace data. Because this disclosure happens automatically in both human-readable and JSON modes without any warning, callers may expose confidential content simply by listing sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script writes the full message content to a temporary file in /tmp before sending it to tmux. Even though mktemp creates a uniquely named file with restrictive permissions by default, this still creates an unnecessary at-rest copy of potentially sensitive prompts or code on disk, which can be exposed via local compromise, forensic recovery, backups, or crashes before cleanup. In this skill's context, messages may contain source code, secrets, or operational instructions, making the disclosure risk more significant.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal