Security audit

Claude Code Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed chat bridge to Claude Code, but it gives chat users broad remote control over a persistent terminal session with limited safety boundaries.

Install only if every chat participant who can reach the bot is trusted to operate Claude Code on the host machine. Prefer private chats, sender/channel allowlists, a low-privilege OS account, non-sensitive repositories, careful review of every approval, and disabling or restricting generic key, peek, history, and permanent approval workflows before use in groups.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script exposes `peek`, `history`, `interrupt`, and especially `key` actions that allow a chat user to observe terminal contents and inject control keystrokes into a persistent Claude Code tmux session. In this skill context, the bridge is reachable from messaging channels and group chats, so these capabilities expand beyond simple message relay and approval handling into broad terminal/session control, enabling unintended command execution paths, disclosure of sensitive on-screen data, and bypass of higher-level workflow constraints.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The `key` handler provides generic terminal-control primitives such as arrow keys, escape, enter, and multiple Ctrl/Alt combinations, which can manipulate the Claude Code TUI in ways not limited to approval prompts. Because the skill operates as a remote bridge from chat to a live interactive terminal, this effectively grants remote users low-level control over the session, increasing the chance of unauthorized actions, prompt navigation abuse, or interaction with hidden terminal states and menus.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly advertises remote command execution, file read/write capability, and a permanent approval mode from chat interfaces, but does not include clear safety warnings about the risk of unauthorized access, accidental destructive actions, or misuse in shared/group-chat contexts. In this skill's context, that omission is meaningful because it bridges a real privileged interactive CLI session to remote messaging channels, increasing the chance that users enable dangerous workflows without understanding the trust boundary.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to forward every incoming chat message into a persistent Claude CLI session, which can transmit sensitive user or group-chat content to another tool context without explicit user consent, scoping, or privacy notice. In a multi-channel or group-chat setting, this greatly increases the risk of unintended disclosure, prompt injection relay, and accidental execution of commands based on unrelated chat traffic.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill exposes start/stop/restart and persistent tmux-backed process control from chat interfaces without an explicit warning about host-side effects or operational safeguards. This can let chat users manipulate long-lived local processes and sessions in ways that affect system state, availability, and ongoing work, especially if the chat channel is shared or loosely authenticated.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide explicitly says that any message in CC mode is forwarded directly to Claude Code, but it does not clearly warn users that chat content may be relayed to another tool/service and possibly exposed to a persistent CLI session with broad file and tool access. In this skill context, that omission is more dangerous because users may interact from mobile or group chats and accidentally send sensitive content, commands, or approvals into the bridged session without understanding the privacy and security boundary.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script uses `tmux pipe-pane` to append all session output to a persistent log file under `~/.openclaw/cc-bridge` without any explicit consent, retention policy, or user-visible disclosure. In this skill context, the terminal may contain prompts, code, secrets, filesystem output, or approval screens originating from chat-driven sessions, so silent persistence increases confidentiality and privacy risk if the host account or stored files are later accessed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal