ClawHub

Claude Code Task

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly coherent with its async Claude Code purpose, but it grants a background agent broad local authority and exposes messaging credentials/output in ways users should review carefully.

Install only if you intentionally want Claude Code to run in the background with broad local authority and send progress/results to Telegram or WhatsApp. Use a disposable or tightly scoped project directory, avoid secrets, verify the destination chat/thread, set short timeouts for risky work, and patch or avoid the temporary bot-token helper and `run-task.sh` before use on a shared or sensitive machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
claude_cmd.extend(["--resume", args.resume])

        # Start Claude Code
        proc = subprocess.Popen(
            claude_cmd,
            cwd=str(project),
            stdout=subprocess.PIPE,
Confidence
97% confidence
Finding
proc = subprocess.Popen( claude_cmd, cwd=str(project), stdout=subprocess.PIPE, stderr=subprocess.PIPE, text=True, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
trace_live(token, session_key, trace_enabled, "[TELEGRAM][WAKE]",
                       f"dispatching openclaw agent wake (project={project_name}, output={output_file_path}, wake_id={wake_id})",
                       thread_id, reply_to)
            result = subprocess.run(cmd, capture_output=True, text=True, timeout=40)
            if result.returncode == 0:
                print(f"✓ Agent woken via openclaw agent", file=sys.stderr)
            else:
Confidence
92% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=40)

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill reads the Telegram bot token from local config and talks directly to the Telegram Bot API, bypassing the normal gateway control plane. This weakens auditing and policy enforcement, and any compromise of this script or its inputs can exfiltrate messages through an uncontrolled external channel using long-lived credentials.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The script dynamically writes a notification helper containing the Telegram bot token to `/tmp` and then instructs Claude Code to execute it during task processing. This exposes credentials in a world-accessible temporary location and gives the external coding agent an explicit capability to message arbitrary progress updates outside the normal gateway controls, creating a strong exfiltration and abuse path.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script silently reads a bearer token from a local credential store and uses it to call a gateway API, even though the stated purpose is to run a coding task and notify on completion. Embedding credential access into the skill expands its authority and creates a risk of unauthorized message sending or abuse if the script is triggered in an untrusted context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accesses a local auth token without any user-facing disclosure, which prevents informed consent and hides a sensitive capability from the operator. In a tool that executes arbitrary coding tasks, concealed credential use makes the overall behavior more dangerous because users may not realize the skill can act on their behalf against other services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script packages task text, project path, and up to 2000 bytes of command output into a notification and transmits it to another service without explicit warning. Because Claude Code may process sensitive source code or secrets, this creates a meaningful data exfiltration channel from the local environment to an external messaging workflow.

Ssd 1

Medium
Confidence
95% confidence
Finding
The embedded automation context tells Claude Code to run a local notification script, effectively injecting hidden operational instructions and an outbound messaging capability into the model prompt. In this skill context, that is dangerous because the model is being given a covert side channel for external communication during task execution, which can be abused for data leakage or unauthorized signaling.

Ssd 4

Medium
Confidence
88% confidence
Finding
The wake narrative is designed to strongly steer the downstream agent's visible behavior, continuity assumptions, and decision to continue iterating. In a chained-agent system, this increases the chance that untrusted output from one autonomous run can manipulate subsequent agent actions and user-facing messages without adequate validation.

Ssd 4

Medium
Confidence
88% confidence
Finding
Even in single mode, the wake message scripts how the downstream agent should interpret continuity and what visible response pattern it should follow. That kind of prompt-based control over another agent is risky because it turns untrusted completion state into a mechanism for influencing subsequent privileged behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal