Skillv1.0.0

ClawScan security

claude-code-noninteractive-in-node · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 29, 2026, 4:35 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions plainly require a claude CLI and an ANTHROPIC_API_KEY and advise using broad permission flags, but the registry metadata declares no binaries or credentials — that's an incoherence and a potential security risk.
Guidance: Do not install blindly. The instructions require the 'claude' CLI and an ANTHROPIC_API_KEY but the skill registry metadata omits both — ask the publisher to declare required binaries and the primaryEnv. Before using: (1) verify the claude binary and its provenance on the remote Node, (2) avoid placing long-lived API keys in ~/.bashrc on shared machines; prefer ephemeral tokens or a secrets manager, (3) do not use '--dangerously-skip-permissions' or bypass modes on untrusted Nodes, and (4) confirm the Node operator is trusted and review Node security policies. If the publisher updates the metadata to declare the API key and binary requirements (and documents why broad permission flags are needed), the inconsistency would be resolved and this evaluation could be reconsidered.

Review Dimensions

Purpose & Capability: concernThe SKILL.md expects a local 'claude' CLI and an ANTHROPIC_API_KEY to be present and exported into non-interactive shells, but the registry metadata lists no required binaries or environment variables. A remote exec skill legitimately needs the claude binary and an API key; their absence from the declared requirements is a mismatch.
Instruction Scope: concernInstructions explicitly tell the agent to run remote shell commands via 'bash -lc', read environment variables, run diagnostics (whoami, ps), write scripts to /tmp, and recommend using '--dangerously-skip-permissions' or broad '--allowedTools' settings. Those steps can perform reads/writes and enable network access on the Node — appropriate for remote coding but they broaden what the agent will do and could enable exfiltration if misused or run on an untrusted node.
Install Mechanism: okThis is an instruction-only skill with no install spec or downloaded code, so there is no installer risk. However, it relies on external tooling (claude CLI) being present on the Node, which is not declared.
Credentials: concernThe SKILL.md requires ANTHROPIC_API_KEY and shows commands that inspect $HOME and other env state, but the skill metadata declares no required env vars or primary credential. Requesting an API key (a sensitive secret) without declaring it is disproportionate and obscures the credential surface.
Persistence & Privilege: noteThe skill is not always-enabled and does not request system-wide persistence. It does recommend editing ~/.bashrc to export a long-lived API key (which grants ongoing access from non-interactive shells) and suggests background execution in examples — users should be aware that adding a persistent API key to shell startup increases blast radius if the Node is shared or compromised.