Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Claude Anywhere
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it claims, but it gives chat users broad remote ability to drive Claude Code on your machine, including file/command work and scheduled tasks, without clearly documented access controls or sandboxing.
Install only if you intentionally want a remote Claude Code operator reachable through chat. Run it on a dedicated, non-root account or container, restrict who can message the bot, protect all bot/API tokens, review scheduled tasks and session retention, and assume authorized bot users can cause local files and commands to be accessed within the service account's permissions.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Potential exfiltration
Warn
- Finding
- Sensitive-looking file read is paired with a network send.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Anyone who can interact with the configured bot audience could potentially cause Claude Code to read files, change files, run commands, or reveal command output within the permissions of the local host account.
Why it was flagged
The Telegram bridge forwards chat text into the Claude runner; paired with SKILL.md's advertised read/write-file and command-execution capabilities, this exposes host actions through a messaging interface without a visible allowlist or per-action authorization gate in the provided handler.
Skill content
bot.on("text", async msg => { ... const result = await core.runClaude(text, core.getSessionId(userId));Recommendation
Treat the bot as remote administrative access: restrict who can message it, add explicit user/chat allowlists, run it as a non-root user in a dedicated project or container, and require confirmation for file or command-changing actions.
Medium
What this means
A mistaken or unauthorized scheduled task could keep running after the original chat, repeatedly consuming the Claude account, reading local context, executing commands, or sending results back to chat.
Why it was flagged
Remote chat users can create natural-language cron tasks. Scheduled execution is disclosed, but recurring Claude Code tasks are persistent and the artifacts do not clearly bound what those jobs may do on the host.
Skill content
bot.onText(/^\/cron(?:\s+(.*))?$/s, async (msg, match) => { ... core.handleCommand(userId, { cmd: "cron", args: (match?.[1] || "").trim() }, pro);Recommendation
Enable cron only if needed, review `/cron list` regularly, remove unused jobs, restrict bot users, and run the service in a least-privilege environment.
What this means
Past work context can be reused later and may be visible to whoever has access to the relevant bot account or session controls.
Why it was flagged
The skill intentionally stores and resumes session context across devices/platforms. This is purpose-aligned, but the persisted context may include sensitive code, file paths, command results, or prior instructions.
Skill content
`/sessions` 列出所有会话,`/resume` 一键接续。你的工作进度,永远不会丢失。
Recommendation
Avoid sending secrets, understand where session data is stored and how long it remains, clear or rotate sessions when switching projects, and protect platform accounts used to access the bot.
What this means
If these tokens or the host account are exposed, another party could control the bot, consume the Claude account, or access platform APIs within the granted permissions.
Why it was flagged
The integration uses bot tokens, platform secrets, licensing data, and the local Claude CLI account. These credentials are expected for the purpose, but they are sensitive and some optional credentials are not reflected in the registry's required-env summary.
Skill content
TELEGRAM_BOT_TOKEN=... LICENSE_KEY=... LICENSE_SERVER_URL=https://license.claudeanywhere.com ... WECOM_SECRET= ... QQ_APP_SECRET=
Recommendation
Use dedicated bot accounts and tokens, keep `.env` private, rotate secrets if exposed, restrict filesystem permissions, and avoid running the service under a privileged user.
What this means
You may run code or dependency versions that differ from what was reviewed or expected, which matters because the tool has command-execution capability.
Why it was flagged
The install path pulls code and npm dependencies from an external repository even though the registry source is listed as unknown and there is no OpenClaw install spec.
Skill content
`git clone https://github.com/yizhao1978/claude-anywhere.git && cd claude-anywhere && npm install && cp .env.example .env`
Recommendation
Verify the repository and release tag, inspect package.json/package-lock.json, pin versions where possible, and install only from a trusted source.