Skillv0.2.1

ClawScan security

Claude Code Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 9, 2026, 8:26 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and instructions largely match a tmux-based bridge to a local Claude Code CLI, but there are mismatches and missing declarations (environment/config) and the bridge enables remote chat participants to drive a local interactive CLI (including commands that can read/write files), so you should review access control and the script before installing.
Guidance: This skill does what it says (bridges chats to a local interactive Claude Code terminal), but it grants chat participants the ability to inject arbitrary input into a local CLI process and captures terminal output to local logs. Before installing: (1) review the full scripts yourself (especially send-keys and pipe-pane usage); (2) ensure only trusted channels/users can reach this skill (OpenClaw should enforce author/channel restrictions); (3) confirm you want a remote-to-local CLI bridge — it can be used to run commands that read secrets or modify files; (4) explicitly set/verify CLAUDE_BIN and ensure tmux/claude are installed; (5) consider tightening file permissions on $HOME/.openclaw/cc-bridge and auditing generated logs; (6) if you need stricter safety, add explicit authentication/authorization checks in the bridge (e.g., whitelist chat IDs) or avoid installing in environments with sensitive data.

Review Dimensions

Purpose & Capability: noteThe name/description (bridge chat → persistent local Claude Code CLI via tmux) matches the included script and instructions: tmux session management, send-keys, capture-pane, etc. Requiring tmux and a local 'claude' binary is coherent with the stated purpose.
Instruction Scope: concernSKILL.md and the script instruct the agent to start/stop sessions, forward arbitrary user messages into a live CLI, simulate keypresses (including Ctrl sequences), capture terminal output to a local log, and automatically approve/deny TUI prompts based on chat responses. The instructions do not document any message-author or channel-level access control; forwarding arbitrary chat messages to a local CLI is a high-impact capability (can cause command execution and file read/write via Claude Code). The SKILL.md also references the script path under ~/.openclaw/workspace/skills/cc-bridge which is consistent, but it relies on runtime detection strings like "Do you want to proceed" which could be brittle.
Install Mechanism: okThere is no remote install or download step; the skill is instruction-only and includes the bridging script. No external packages or network fetches are performed by an installer — lower risk from supply chain perspective. However the script will create local state under $HOME/.openclaw/cc-bridge.
Credentials: concernMetadata declares no required env vars or config paths, yet the script reads CLAUDE_BIN (not declared) and creates/uses $HOME/.openclaw/cc-bridge for logs/offsets. It also assumes tmux and a usable 'claude' binary in PATH. These implicit dependencies and the ability to capture terminal output (logs) should have been declared; the missing declarations reduce transparency and make it unclear what secrets or files could be accessed.
Persistence & Privilege: notealways:false (no forced global enable). The skill writes state/logs to $HOME/.openclaw/cc-bridge and creates tmux sessions named ccb_<id>, which is normal for this functionality. Autonomous invocation is allowed by default (not a unique concern), but combined with the bridge behavior this increases blast radius if untrusted chats can trigger actions.