claude-code (Deprecated alias)
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Claude Code tmux orchestrator, but it deserves review because it bypasses Claude Code permissions and has unsafe shell argument handling.
Install/use this only if you intentionally want Claude Code to run development work without per-command permission prompts. Run it in a trusted repo, clean branch, or sandbox; verify workdir values are safe; avoid secrets in terminal output; use trusted SSH hosts only; and monitor or stop tmux sessions when done.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A coding task can run commands and edit files without per-action Claude Code approval; a mistaken prompt, unsafe reference file, or wrong workdir could cause unwanted changes.
The script starts Claude Code inside tmux with permission checks disabled and then submits the task automatically, giving the spawned agent broad ability to act in the user's environment.
tmux -S "$SOCKET" send-keys -t "$SESSION":0.0 -l -- "cd $WORKDIR && export https_proxy=http://127.0.0.1:6152 http_proxy=http://127.0.0.1:6152 all_proxy=socks5://127.0.0.1:6153 && claude --dangerously-skip-permissions"
Use only in a sandbox, clean git branch, or disposable workspace. Prefer normal Claude Code permissions where possible, and require explicit user approval before launching this mode.
If the workdir value is derived from untrusted text or contains characters like semicolons or command substitutions, unintended commands may run as the user.
The workdir argument is inserted into a shell command without shell escaping before it is sent to tmux. A path containing shell metacharacters could execute extra commands.
--workdir) WORKDIR="$2"; shift 2 ;; ... "cd $WORKDIR && export https_proxy=... && claude --dangerously-skip-permissions"
Quote or shell-escape workdir, label, session, socket, and remote command arguments; validate paths before use; or invoke a wrapper script that receives arguments safely.
Claude Code work may continue after the initial chat turn and may consume resources or keep changing files until the session finishes or is stopped.
The skill intentionally creates long-running tmux sessions and callback-driven task delivery. This is disclosed and purpose-aligned, but it is persistent automation.
Start a dedicated tmux session. ... Always include callback via wrapper ... If no pane output for >2-3 min, inspect and restart session. Kill stale Claude processes before restart.
Monitor sessions with the provided attach/status commands, stop stale sessions deliberately, and avoid overlapping labels that could kill or replace the wrong session.
Using remote mode gives the skill the same access your SSH key/account has on that host and copies selected task materials there.
Optional remote mode uses the user's SSH identity to copy prompt files and run tmux/Claude Code commands on a remote host.
scp -q "$PROMPT_FILE" "${SSH_HOST}:${REMOTE_REF}" ... ssh -o BatchMode=yes "$SSH_HOST" "tmux -S '$SOCKET' new -d -s '$SESSION' -n shell"Use only trusted SSH aliases and hosts, prefer limited-purpose keys/accounts, and confirm what prompt/report files will be copied.
Terminal output, build logs, or task text could be included in summaries; those logs may contain sensitive project details or secrets if commands print them.
The documented summary flow can include recent tmux pane output and send it through an OpenClaw gateway summarization call.
Each entry contains: ... lastLines ... bash {baseDir}/scripts/list-tasks.sh --json | openclaw gateway call summarize-tasks --stdinAvoid running summaries on sessions that may display secrets, reduce captured lines, and review/redact reports or transcripts before sharing.
The skill may fail or use whatever matching binaries are present on PATH, which can surprise users in mixed or untrusted environments.
The script checks for runtime dependencies, while the registry metadata declares no required binaries. This is a dependency-contract gap rather than evidence of malicious behavior.
for tool in tmux claude rg python3 git; do
Declare required tools in metadata and verify local PATH/tool provenance before use.