Skillv0.2.0

ClawScan security

Claude Code Orchestrator (tmux-first) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 8:08 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill largely does what its name says (orchestrates Claude runs inside tmux) but contains several practical mismatches and risky instructions (missing declared dependencies, use of a '--dangerously-skip-permissions' flag, local proxy envs, scp/ssh copy paths and automatic wake callbacks) that warrant caution before installing or running.
Guidance: This skill appears to do what it says (manage Claude Code runs inside tmux) but you should not install or run it without reviewing and consenting to several things: 1) Inspect the scripts yourself — they will read your project directory, run 'git diff', and by default run 'npm run lint' and 'npm run build' (npm scripts can execute arbitrary code). 2) The startup command runs 'claude --dangerously-skip-permissions' — this disables internal permission checks in the Claude CLI and increases safety risk; avoid or remove that flag unless you trust the environment and prompts. 3) The startup sets local proxy env vars (127.0.0.1:6152/6153); confirm you understand what local services are listening there (a proxy could be used to capture/exfiltrate data). 4) The wake callback uses the OpenClaw CLI to send text and report paths; the skill does not declare that OpenClaw CLI auth or network access is required — ensure your OpenClaw credentials and endpoints are configured and you are okay with reports/notifications being sent externally. 5) Remote flows copy report files via scp/ssh to a 'mini' host — verify SSH targets and keys before using remote features. Recommended actions before running: run 'scripts/bootstrap.sh' to surface missing tools; add/verify presence of 'jq' and the OpenClaw CLI; run the scripts in an isolated/test repo first; remove or edit the '--dangerously-skip-permissions' flag and proxy exports if you do not want those behaviors; and do not run these scripts on repositories containing secrets unless you fully trust the workflow.

Review Dimensions

Purpose & Capability: noteThe name/description match the scripts: this is a tmux-based orchestrator for running Claude Code tasks and collecting reports. However, the skill omits a few obvious runtime dependencies from its metadata (the scripts require 'jq', 'ssh'/'scp' for remote flows, and the OpenClaw CLI for wake calls) and the SKILL.md/registry metadata don't declare that the OpenClaw CLI or SSH keys will be used. That omission is a transparency gap (not necessarily malicious) but important for users to know.
Instruction Scope: concernThe runtime instructions and scripts instruct the agent/operator to: launch 'claude' with the flag '--dangerously-skip-permissions', paste large prompts into an interactive Claude session, run git diff/lint/build in the target workdir, read project files, generate JSON/MD reports in /tmp, and send a wake callback to OpenClaw. All of these actions are within the stated purpose, but the use of the 'dangerously' flag, automatic reading of the project's workdir (and running npm scripts), and mandated automatic wake/callbacks increase the risk surface and deserve explicit user consent and review.
Install Mechanism: okThere is no install spec (instruction-only), and the skill ships shell scripts that are intended to be run directly. No remote downloads or archive extraction are present in the manifest. The lack of an install step lowers automatic risk, but the provided scripts will execute on the user's system when run.
Credentials: concernThe skill declares no required environment variables/credentials, yet the scripts: export proxy environment variables (https_proxy/http_proxy/all_proxy) when launching Claude, call 'openclaw gateway call wake' (which requires the OpenClaw CLI/auth), and use ssh/scp for remote flows (which will use the user's SSH keys). The skill also runs project-local npm scripts by default (lint/build), which can execute arbitrary code in the user's repo. These real credential/secret usages are not reflected in the declared metadata, which is a proportionality/transparency issue.
Persistence & Privilege: okThe skill is not always-enabled and does not claim system-wide persistence. It stores task delivery state under its own 'state/' directory and writes transient reports to /tmp. It does not modify other skills' configs. Remote SSH flows rely on the user's existing SSH keys/hosts; that is expected but should be acknowledged by users.