Claw Shell 1.0.0
v1.0.0Runs shell commands exclusively inside tmux session 'claw', captures output, and requests confirmation for potentially destructive commands.
⭐ 0· 495·11 current·11 all-time
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's code implements the advertised behavior (runs commands in a tmux session named 'claw' and captures output). However the registry metadata and _meta.json ownerId values differ (possible repackaging) and the skill implicitly requires the 'tmux' binary but does not declare it in required binaries.
Instruction Scope
SKILL.md confines activity to the 'claw' tmux session and requires user confirmation for dangerous commands; the handler returns an error to force confirmation, which is coherent. However, sendCommand builds a shell string and only escapes double quotes — it does not prevent shell interpolation (backticks, $(...), $ expansion, etc.). Because execSync runs via the system shell, portions of the supplied command can be executed locally during the send-keys call (before being run inside tmux and before any user confirmation), which contradicts the 'never touch any other session' / safe execution intent. The dangerous-command detection is simple and can be bypassed for commands that do harmful things but don't contain the tracked keywords.
Install Mechanism
No install spec (instruction-only with an included handler.js). Low install risk. Note: runtime depends on Node and tmux being present but tmux is not declared.
Credentials
The skill requests no environment variables or secrets, which is proportionate to its stated purpose.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or modify other skills' configuration. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to do what it says, but do not install it without review because of implementation issues: (1) it implicitly requires the 'tmux' binary but doesn't declare it; (2) handler.js constructs shell commands with only double-quote escaping, allowing shell interpolation (backticks/$(...)/$vars) to be executed by the local shell when execSync runs — that can execute payloads on the host outside tmux and prior to any user confirmation; (3) the dangerous-command check is simplistic and may miss other harmful inputs; and (4) the ownerId in _meta.json doesn't match the registry metadata (possible repackaging). If you plan to use this skill: run it in a safe/test environment first, ask the author to (a) declare tmux as a required binary, (b) fix sendCommand to avoid shell interpretation (use execFile/spawn with args or properly escape/disable shell evaluation), and (c) strengthen dangerous-command detection or enforce an explicit prompt/approval step before any local execution. If you cannot validate those fixes, treat the skill as untrusted and avoid using it on production or sensitive machines.Like a lobster shell, security has layers — review code before you run it.
latest
claw-shell
ALWAYS USES TMUX SESSION claw.
PURPOSE
- RUN SHELL COMMANDS INSIDE TMUX SESSION
claw - NEVER TOUCH ANY OTHER SESSION
- READ OUTPUT BACK TO THE AGENT
INTERFACE
Tool: claw_shell_run
Inputs:
command(string, required): shell command to run inside sessionclaw.
Behavior:
- Attach to tmux session
claw(create it if missing:tmux new -s claw -d). - Send the command followed by Enter.
- Capture the latest pane output.
- Return the captured output to the agent.
SAFETY
- DO NOT RUN:
sudorm(without explicit user approval)reboot,shutdown, or destructive system-level commands
- IF THE COMMAND CONTAINS ANY OF THE ABOVE:
- ASK USER FOR CONFIRMATION BEFORE EXECUTING.
EXAMPLES
-
SAFE:
ls -labird read https://x.com/...git status
-
DANGEROUS (ASK FIRST):
rm -rf ...docker system prune -achmod -R ...
Comments
Loading comments...