Claude Code Wingman
Security checks across malware telemetry and agentic risk
Overview
Review recommended: this is a coherent Claude Code orchestration tool, but it can run background Claude Code sessions and approve powerful coding actions with limited containment.
Install only if you are comfortable with this skill launching Claude Code workers that can change local projects. Use it on disposable branches or contained worktrees, avoid auto/always approvals for sensitive repos, inspect the scripts you actually run, protect your Clawdbot config, and stop any monitor daemons when finished.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If auto mode or broad approval is used, Claude Code may run shell commands or edit project files with little per-action review.
The auto-approver watches Claude Code permission prompts and selects a broader approval option using tmux key presses, without validating the requested command, tool, or file path.
elif echo "$OUTPUT" | grep -q "Do you want"; then ... tmux send-keys -t "$SESSION_NAME" Down Enter
Avoid '--auto' and 'always' in sensitive repositories; add explicit tool/path allowlists and require confirmation for Bash commands, deletes, network access, secrets, and multi-file writes.
A user or agent may end up executing unreviewed or changed scripts with the same high-impact approval authority.
The runtime instructions depend on an unpinned external GitHub clone and absolute paths outside the installed skill package, so the code actually executed may differ from the reviewed artifact.
git clone https://github.com/yossiovadia/claude-code-orchestrator.git ... ~/code/claude-code-orchestrator/lib/handle-approval.sh approve <session>
Package the scripts with the skill, use the installed skill path, pin external sources to a commit or release, and declare all required binaries such as tmux, claude, jq, curl, and bash.
Another same-account process or skill that can write those response files could approve or deny Claude Code actions, and prompt details may be left in local temporary files.
Approval decisions are passed through predictable files under /tmp and then translated into tmux keystrokes, with no nonce, origin binding, or session ownership check shown.
APPROVAL_DIR="/tmp/claude-approvals" ... RESPONSE=$(cat "$RESPONSE_FILE") ... always|2) ... tmux send-keys -t "$SESSION_NAME" Down Enter
Use a private 0700 state directory, random per-approval tokens, strict session ownership checks, and minimize or protect stored prompt details.
If left running, it can keep watching terminal sessions and sending approval notifications beyond a single requested task.
The master monitor is a long-running daemon that repeatedly scans tmux sessions, and the session list is not limited to sessions created by this skill.
while true; do ... SESSIONS=$(get_sessions) ... tmux list-sessions -F "#{session_name}"Start the daemon only explicitly, provide clear stop instructions, filter to managed session prefixes, and add timeouts or cleanup for completed work.
The skill can use the local Clawdbot webhook identity to send WhatsApp notifications to the configured phone number.
The notification helper reads the local Clawdbot configuration and webhook token to send WhatsApp notifications, which is purpose-aligned but sensitive and not declared in the registry credential fields.
CLAWDBOT_CONFIG="${CLAWDBOT_CONFIG:-$HOME/.clawdbot/clawdbot.json}" ... WEBHOOK_TOKEN=$(jq -r '.hooks.token // empty' "$CLAWDBOT_CONFIG"Declare the config path and token use clearly, protect the Clawdbot config file, and verify the recipient phone and local webhook URL before running the monitor.