Back to skill
Skillv0.2.0
VirusTotal security
Claude Code Orchestrator (tmux-first) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:57 AM
- Hash
- 0f7d570df27d8123675035e2848de15487a087ac83cb8bc02446abaab59b8aea
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: claude-code-orchestrator Version: 0.2.0 The skill is classified as suspicious due to multiple critical vulnerabilities. The `scripts/start-tmux-task.sh` and `scripts/complete-tmux-task.sh` scripts directly execute user-supplied `--lint-cmd` and `--build-cmd` arguments without sanitization, leading to a shell injection vulnerability (RCE). Furthermore, `scripts/start-tmux-task.sh` launches the Claude agent with `--dangerously-skip-permissions`, significantly increasing the risk of prompt injection leading to arbitrary code execution. The skill also instructs the Claude agent to use `scp` and `ssh` to a `MINI_HOST` for callbacks, creating a potential channel for data exfiltration or remote command execution if the agent is compromised.
- External report
- View on VirusTotal