Skillv0.1.0

ClawScan security

claude-code (Deprecated alias) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 8:08 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's scripts largely match its advertised tmux-based Claude Code orchestration purpose, but metadata omits required tooling and the runtime instructions contain network/proxy and callback behaviors (claude --dangerously-skip-permissions, local proxy env, openclaw wake/call) that deserve careful review before use.
Guidance: This package is a tmux-based orchestrator and the scripts do implement that, but three practical concerns before installing/running it: 1) Metadata omission — the package does not declare required binaries but the scripts require tmux, the 'claude' CLI (run with --dangerously-skip-permissions), rg, python3, git, jq, ssh/scp and the OpenClaw CLI. Ensure you have and trust these binaries. 2) Data flow — the workflow captures tmux transcripts, workspace diffs, and writes JSON/MD reports in /tmp and uses the OpenClaw CLI to send wake callbacks; if you use the example 'openclaw gateway call summarize-tasks' you will be sending transcripts/reports to OpenClaw. Review whether that is acceptable for your data. 3) Proxy & network routing — start script force-sets https/http/all_proxy to localhost:6152/6153 for the claude process; confirm you control any local proxy to avoid unexpected network routing. Recommended actions: manually review the scripts (especially start-tmux-task.sh, wake.sh, and any remote scp/ssh targets), run scripts/bootstrap.sh --dry-run to check for missing tools, avoid running as root, and only run against projects/hosts you trust. If the maintainer can update the registry metadata to list required binaries/CLIs and document the proxy behavior, that would reduce risk and increase confidence.

Review Dimensions

Purpose & Capability: concernThe SKILL.md describes orchestrating Claude Code in tmux and the included scripts implement that. However the registry metadata claims no required binaries or credentials while the scripts explicitly require/expect many tools (tmux, claude, rg, python3, git, jq, ssh/scp, openclaw CLI). That mismatch (metadata says 'none' but the code needs many tools) is incoherent and should be clarified.
Instruction Scope: noteRuntime instructions and scripts legitimately read workspace files, run git status/diff, capture tmux panes, and require reading/writing completion reports under /tmp — all consistent with delivering an observable task. Notable runtime behaviors: they run 'claude --dangerously-skip-permissions', set https_proxy/http_proxy/all_proxy to localhost for the launched claude process, and call the OpenClaw CLI (openclaw gateway call wake / openclaw gateway wake) to deliver wake callbacks. These behaviors mean transcripts/reports and possibly pasted prompt contents can be transmitted outwards (to the OpenClaw gateway or via whatever proxy is listening).
Install Mechanism: noteThere is no external install spec (no network download/install), which lowers install-time risk. However the skill includes executable scripts that will run on the host when invoked; users should treat these as code they must review. The package does not attempt to fetch archives from unknown URLs.
Credentials: concernThe skill declares no required env vars/credentials but the scripts implicitly depend on the OpenClaw CLI, the 'claude' binary, and SSH access to remote hosts (scp/ssh to MINI_HOST/SSH_HOST). The start script also forces export of proxy env vars (127.0.0.1:6152/6153) for the claude process, which can redirect network traffic through a local proxy — a potential exfiltration vector if a proxy is present. Asking for SSH/scp access and invoking external CLIs is plausible for this purpose but the lack of explicit declarations in metadata is disproportionate and increases risk if users assume no external access is needed.
Persistence & Privilege: okThe skill does not request 'always: true' and does not modify other skills or global agent configuration. It writes small state files into its own state/ directory and writes completion reports into /tmp; these are expected for the stated workflow. It will rely on any existing SSH keys/agent for remote operations but does not escalate privileges itself.