ClawHub

Claude Code Orchestrator (tmux-first)

Security checks across malware telemetry and agentic risk

Overview

This skill appears designed for real Claude/tmux task orchestration, but it gives autonomous agents broad local and remote execution authority by default without enough scoping or user safeguards.

Install only if you intend to run autonomous Claude Code sessions in a trusted sandbox or disposable workspace. Review the scripts first, avoid sensitive repositories and secrets, disable or gate --dangerously-skip-permissions, verify any MINI_HOST/proxy settings, and only provide lint/build commands and SSH targets you fully control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill clearly orchestrates shell-script execution (`bash .../scripts/*.sh`) and tmux/session management, yet it declares no explicit permissions or trust boundaries. That mismatch is dangerous because it can cause the host agent or user to invoke powerful local commands without an upfront security signal, reducing scrutiny around filesystem, process, and session access.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script explicitly launches `claude --dangerously-skip-permissions`, removing the normal permission gating for an autonomous coding agent that is also given a task prompt, working directory, and optional SSH execution path. In this skill context, that meaningfully expands what the agent can do on the host or remote system beyond a monitoring/orchestration role, so prompt injection, task misuse, or operator error could lead to unintended file modification, command execution, or access to sensitive resources.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script exports `https_proxy`, `http_proxy`, and `all_proxy` before launching Claude, forcing network traffic through local proxy endpoints. While not inherently malicious, this adds undisclosed network-routing capability that can enable monitoring, redirection, or broader egress in a skill described mainly as tmux-based task visibility and completion notification.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instruction to launch `claude --dangerously-skip-permissions` deliberately disables safety checks for an interactive coding agent that is then given a prompt, filesystem context, and callback mechanism. In this skill's context, that materially increases the chance of unintended code execution, destructive edits, secret access, or persistence because the agent is being run with reduced safeguards and no user-facing warning or compensating controls.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill documents remote task listing/monitoring via SSH and tmux capture without warning that transcripts, prompts, filenames, report paths, and potentially sensitive code or system output may be exposed on the remote host or across trust boundaries. Because this workflow explicitly captures pane output and structured task metadata, it can leak sensitive development context or secrets if the remote endpoint is less trusted or logging is enabled.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script performs high-impact operations—SSH, SCP, tmux session control, file transfer, and launching Claude with permission checks bypassed—without any explicit user confirmation, warning banner, or runtime acknowledgment. In combination, this can surprise operators into granting an autonomous agent broad local or remote execution authority, increasing the chance of unintended system changes or data exposure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal