claude-code-bridge
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says, but it gives chat conversations persistent control over a local authenticated Claude Code terminal and contains an unsafe shell-launch pattern that needs review.
Install only if you trust the publisher and the chat participants who can reach it. Prefer private chats and sandbox mode, avoid permanent approvals, stop sessions when done, and ask for fixes to per-user authorization and the unsafe working-directory shell launch before using it on sensitive projects.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled in a group or shared chat, other participants may be able to send prompts, approve Claude Code tool actions, view terminal output/history, and affect local files using the user's authenticated Claude Code session.
The skill forwards any message in an active chat to a locally logged-in Claude Code CLI, and explicitly supports group-chat scoped sessions; the artifacts do not show per-sender authorization or approval restrictions.
| 任意消息 | 转发给 Claude Code | ... 可以。每个 OpenClaw 渠道(QQ 私聊/群/Telegram 对话)各自独立。 ... CC-Bridge 使用你本地已登录的 Claude Code CLI,走 OAuth 认证。
Use only in trusted private chats unless the skill adds a per-user allowlist, explicit group opt-in, sender identity checks, and separate authorization for approvals and history access.
A malicious or accidental path value could cause local shell commands to run or make startup behave unpredictably.
A chat-supplied working directory is concatenated into a shell command with nested single quotes rather than passed as a safely quoted argument; crafted existing path names containing shell metacharacters or quotes could break quoting or execute shell code before Claude Code's normal approval flow.
workdir="${MESSAGE:-}" ... launch_cmd="cd '$workdir' && unset CLAUDECODE CLAUDE_CODE; export TERM=xterm-256color; exec '$CLAUDE_BIN'" ... tmux new-session ... "bash --login -c '$launch_cmd'"Avoid shell-string construction for the working directory; use tmux's working-directory option or pass the path as a separate argument to bash, and reject or safely quote paths with metacharacters.
Approved Claude Code actions can modify projects, run local commands, perform git operations, or change project state.
Broad Claude Code terminal capabilities are clearly disclosed and are central to the skill, but they include file mutation, command execution, bash passthrough, and approval choices.
File read/write | ✅ | Full support after approval ... Command execution | ✅ | Full support after approval ... Bash mode (`!` prefix) | ✅ | Send directly via `send` ... All slash commands ... Full passthrough
Prefer sandbox mode for untrusted tasks, review every approval carefully, and avoid the permanent/always-allow option unless the project and chat participants are trusted.
A running session may continue holding context, terminal state, and access to the chosen working directory until explicitly stopped.
The background session persistence is disclosed and purpose-aligned, but it means the Claude Code process can remain active after the user leaves the chat interface.
tmux maintains persistent terminal sessions (survives disconnects)
Check `cc状态` regularly and use `关闭cc` when finished, especially after working in sensitive directories.
Sensitive content shared with Claude Code or printed by commands may remain in local bridge logs or scrollback until the session is stopped or files are cleaned up.
The script stores terminal output in local logs and large tmux scrollback so it can provide history and detect output stability; this may include sensitive prompts, code, or command output.
STATE_DIR="$HOME/.openclaw/claude-code-bridge" ... LOG_FILE="$STATE_DIR/${TMUX_NAME}.log" ... SCROLLBACK_LINES=50000 ... tmux pipe-pane -t "$TMUX_NAME" -o "cat >> '$LOG_FILE'"Do not send secrets through the bridge, stop sessions after use, and consider stricter file permissions or log cleanup for `~/.openclaw/claude-code-bridge/`.
Users must manually verify the included script, local dependencies, and publisher trust before relying on the skill.
For a high-impact local terminal bridge, the registry metadata provides limited provenance and does not declare the local binary dependencies, even though the package includes reviewable script artifacts.
Source: unknown; Homepage: none ... Required binaries (all must exist): none ... Install specifications: No install spec
Declare required binaries such as tmux and Claude Code CLI, provide a trustworthy homepage/source reference, and keep the packaged script auditable.