v1.0.0

Claw Shell 1.0.0

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:26 AM.

Analysis

This is a disclosed shell-access skill, but its command safeguards are weak and its implementation can execute parts of input outside the intended tmux session.

GuidanceInstall only if you deliberately want the agent to operate a local shell. Use it in a disposable or tightly scoped workspace, review commands before they run, avoid printing secrets, watch the 'claw' tmux session, and terminate that session when done.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

handler.js

const bad = ["sudo", " rm ", " rm-", "reboot", "shutdown", "mkfs", "dd "]; ... sendCommand(command);

Only a small substring denylist gates a raw shell command. Many high-impact commands, including documented dangerous examples such as docker pruning or recursive chmod, are not covered.

User impactAn agent could run local commands that change files, services, containers, or the environment without robust per-command approval.

RecommendationRequire explicit user approval for every command or use a strict allowlist/scoped mode. If destructive commands are supported, add a real approval flag tied to the exact displayed command rather than a substring denylist.

Unexpected Code Execution

SeverityHighConfidenceHighStatusConcern

handler.js

function sendCommand(cmd) { ... execSync(`tmux send-keys -t claw "${escaped}" C-m`); }

The command string is interpolated into an outer shell command before tmux receives it. Only double quotes are escaped, so shell expansion syntax such as command substitution can execute outside the promised tmux session.

User impactParts of an input command may run in the host shell instead of inside the controlled tmux session, bypassing the skill's stated containment and output capture.

RecommendationUse execFileSync/spawn with an argument array, for example invoking tmux without a shell, so the command is passed literally to tmux and not evaluated by the outer shell.

Rogue Agents

SeverityLowConfidenceHighStatusNote

handler.js

execSync('tmux new -s claw -d');

The skill creates a detached tmux session that persists after the tool call. This is disclosed and purpose-aligned, but it leaves session state and processes alive.

User impactCommands can keep running or leave state between tasks if the user does not monitor the tmux session.

RecommendationInspect and terminate the 'claw' tmux session when finished, and avoid launching long-running or background processes unless intended.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Source: unknown; Homepage: none; Required binaries (all must exist): none

The skill has no declared source/homepage and does not declare tmux as a required binary despite relying on tmux commands.

User impactIt is harder to verify the publisher, origin, and runtime prerequisites for a tool that can run local shell commands.

RecommendationVerify the publisher/source before installing and confirm tmux is available in the intended environment.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceHighStatusNote

handler.js

execSync('tmux capture-pane -t claw -p -S -200');

The tool returns the last 200 lines from a persistent tmux pane, not only the latest command's output, so prior terminal contents can be reused as agent context.

User impactOld terminal output, including secrets or misleading instructions printed by tools, could be shown to or influence the agent.

RecommendationUse a clean dedicated session, clear scrollback before sensitive work, avoid printing secrets, and consider delimiting/capturing only the current command's output.