claude-code-bridge
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: claude-code-bridge Version: 1.0.0 The skill acts as a bridge to the Claude Code CLI via tmux, which is a high-privilege operation. While the behavior aligns with the stated purpose, the script `scripts/claude-code-bridge.sh` is vulnerable to shell injection in the `do_start` function because the `workdir` variable is placed inside a shell command string without adequate escaping (single quotes can be escaped by a crafted path). Since `SKILL.md` instructs the AI agent to extract paths from user messages and pass them to this script, it creates a significant risk where a user could achieve Remote Code Execution (RCE) on the host system via prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted existing directory path could cause local shell commands to run outside Claude Code's normal approval flow.
A chat-provided working directory is interpolated into a nested shell command string. Paths containing quotes or shell metacharacters can break the quoting and execute unintended shell commands before Claude Code starts.
local workdir="${MESSAGE:-}" ... launch_cmd="cd '$workdir' && unset CLAUDECODE CLAUDE_CODE; export TERM=xterm-256color; exec '$CLAUDE_BIN'" ... "bash --login -c '$launch_cmd'"Do not build the launch command with string concatenation. Use tmux's working-directory option or a safely quoted argument array, and reject or robustly escape unusual path characters.
Anyone who can drive the active chat session may be able to ask Claude Code to modify local files or run local commands, subject to Claude Code's approval prompts.
The skill exposes a full Claude Code terminal workflow, including file mutation, command execution, and direct Bash-mode passthrough from chat messages.
File read/write | ✅ | Full support after approval ... Command execution | ✅ | Full support after approval ... Bash mode (`!` prefix) | ✅ | Send directly via `send`
Use only in trusted private chats, prefer sandbox mode, avoid sensitive working directories, and add explicit OpenClaw-side confirmation for non-sandbox sessions and command/file mutations.
A group member or unintended chat participant could potentially use the local user's Claude Code account and local machine authority through the bridge.
The bridge delegates the local user's authenticated Claude Code session to chat channels, including group-chat contexts, without artifact evidence of per-user allowlists or authorization checks.
operate ... remotely through any chat channel — QQ, Telegram, Discord ... uses your locally logged-in Claude Code CLI with OAuth authentication ... QQ DM/group/Telegram chat
Restrict use to private trusted conversations, add per-user authorization checks, declare the local Claude Code login dependency, and avoid enabling this in group chats.
Terminal output may include code, file contents, command results, or other sensitive context that remains available until the session is stopped and logs are removed.
The bridge intentionally keeps large terminal history and state files so chat users can retrieve prior Claude Code output.
tmux 滚动缓冲区设为 50000 行 ... `/cc history [N]` 查看最近 N 行对话历史 ... 工作目录和沙盒状态存储在 `~/.openclaw/claude-code-bridge/` 下
Stop sessions when finished, avoid sensitive directories in shared chats, and document or implement retention limits for logs and history.
Future messages in the same active session may continue controlling the background Claude Code terminal until the user stops it.
Persistence is disclosed and central to the bridge, but it means the Claude Code process can remain available in the background after the user leaves the chat.
tmux maintains persistent terminal sessions (survives disconnects)
Use `cc状态` to check state and `关闭cc` when done; prefer sandbox mode for temporary work.
Users have less provenance information for code that can control a local terminal session.
The registry metadata does not provide a verifiable upstream source or install mechanism even though the skill includes a shell script that runs local processes.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill
Verify the script contents and publisher before installing, and prefer a pinned, trusted source.