ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claude Code Wingman

v0.3.0

Your Claude Code wingman - orchestrate multiple Claude Code sessions across projects, monitor them all from WhatsApp

10· 3.4k·6 current·6 all-time
by@yossiovadia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The scripts and SKILL.md are coherent with the stated purpose (spawn Claude Code in tmux, monitor sessions, notify via WhatsApp). However the package metadata in the registry omits some actual runtime needs: SKILL.md and scripts require jq, curl and expect a Clawdbot webhook/phone configuration, but the registry lists only 'claude' and 'tmux' as required binaries and declares no required env/config paths. That mismatch (undeclared tooling and config file access) is a concern.
!
Instruction Scope
SKILL.md instructs the agent to run many shell scripts (start sessions, start approvers, run master-monitor, call lib/handle-approval.sh on WhatsApp commands). Those instructions cause the agent to: create tmux sessions, send keystrokes to those sessions, read and write files under /tmp and ~/.clawdbot, and make HTTP requests to webhook endpoints. The critical 'handle approval commands first' rule telling the agent to immediately run handle-approval.sh for matching messages gives the agent direct ability to execute local shell commands — this is consistent with the purpose but amplifies risk and should be explicitly declared.
Install Mechanism
There is no install spec in the registry (skill is instruction-only), but the bundle includes full scripts and manual-install instructions that clone a GitHub repo. No external arbitrary downloads or shorteners are used. The source URL is present in docs (GitHub), but the registry lists 'Source: unknown' / homepage none — that mismatch (packaged code vs registry source metadata) is notable but not outright malicious.
!
Credentials
Scripts optionally read or require CLAWDBOT_WEBHOOK_TOKEN, CLAWDBOT_PHONE, CLAWDBOT_CONFIG (~/.clawdbot/clawdbot.json) and allow overriding the webhook URL via env. None of these env vars or config paths are declared as required in the registry metadata. The skill will attempt to read the user's Clawdbot config and/or expect a webhook token/phone; that is access to user-specific credentials/config that should be declared and reviewed before install.
Persistence & Privilege
The package provides a master-monitor daemon script designed to run persistently (PID file, /tmp state dir, repeated notifications), and SKILL.md suggests installation into Clawdbot and restarting the gateway. The skill metadata does not set always:true, but the scripts are explicitly designed to be run as long-lived processes and to send external notifications. This persistence is not reflected in registry privilege metadata and should be considered when deciding to install.
What to consider before installing
Things to check before installing or running this skill: - Review the code yourself (especially auto-approver.sh, interactive-approver.sh, master-monitor.sh, and lib/send-notification.sh). The auto-approver will automatically approve 'Do you want' prompts and folder trust prompts, which may allow Claude Code to execute tools, write files, or run shell commands without further human confirmation. - Confirm where notifications go and who controls the webhook: lib/send-notification.sh will use CLAWDBOT_WEBHOOK_TOKEN, CLAWDBOT_PHONE or ~/.clawdbot/clawdbot.json and by default posts to http://127.0.0.1:18789/hooks/agent unless overridden. Make sure the webhook URL/token are under your control and not pointed at a remote endpoint you don't trust. - Be aware of undeclared requirements: scripts use jq, curl and expect access to ~/.clawdbot/clawdbot.json and /tmp state files. The registry metadata lists only 'claude' and 'tmux' — verify you have or want to grant these additional accesses. - Prefer interactive mode: avoid running with --auto unless you fully trust the environment and understand that prompts (including ones that could allow running arbitrary tool calls) will be auto-approved. - If you want to test safely: run the scripts in an isolated VM/container or sandbox, do not point webhook env vars to production endpoints, and do not run master-monitor as a daemon until you verify behavior. - Fix/inspect minor issues: some scripts reference variables that are not set (e.g., lib/approval-respond.sh echoes $NORMALIZED which is never defined) — expect small bugs. Overall: this skill is plausible for its stated goal, but it requires careful review and explicit configuration of webhook tokens and approval modes before use; treat it as untrusted code until you inspect and control its configuration and runtime environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cz4nxgyjertp272rwgx2xvs801ydm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦅 Clawdis
Any binclaude, tmux

Comments