ClawHub

Claude Code Remote Executor

Security checks across malware telemetry and agentic risk

Overview

This skill really is a remote Claude Code executor, but it exposes broad remote execution paths that need careful review before use.

Install only if you intentionally want to operate a remote code-execution control plane. Before use, add authentication and network restrictions for the API and Redis, remove bypassPermissions or require explicit approval, disable the screen shell fallback, use a dedicated low-privilege account and project directory, and document how to stop and remove the background services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
HOST = SSH_HOST

def ssh(cmd, timeout=30):
    r = subprocess.run(
        ["ssh", "-o", "ServerAliveInterval=10", HOST, f"source ~/.zshrc && {cmd}"],
        capture_output=True, text=True, timeout=timeout
    )
Confidence
95% confidence
Finding
r = subprocess.run( ["ssh", "-o", "ServerAliveInterval=10", HOST, f"source ~/.zshrc && {cmd}"], capture_output=True, text=True, timeout=timeout )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"  {msg}", flush=True)

def run(cmd, capture=True):
    r = subprocess.run(cmd, shell=True, capture_output=capture, text=True, timeout=30)
    return r.returncode, r.stdout, r.stderr

def ssh_cmd(host, cmd, timeout=30):
Confidence
96% confidence
Finding
r = subprocess.run(cmd, shell=True, capture_output=capture, text=True, timeout=30)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def ssh_cmd(host, cmd, timeout=30):
    full_cmd = f'ssh -o "ServerAliveInterval=10" -o "ServerAliveCountMax=3" -o "ConnectTimeout=10" {host} "source ~/.zshrc && {cmd}"'
    r = subprocess.run(full_cmd, shell=True, capture_output=True, text=True, timeout=timeout)
    return r.returncode, r.stdout, r.stderr

def main():
Confidence
99% confidence
Finding
r = subprocess.run(full_cmd, shell=True, capture_output=True, text=True, timeout=timeout)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
f"ssh -o ServerAliveInterval=30 -o StrictHostKeyChecking=no {SSH_HOST} "
                f"'screen -dmS {screen_name} /bin/zsh -c \"{escaped_prompt}\"'"
            )
            r = subprocess.run(ssh_cmd, shell=True, capture_output=True, timeout=15)
            return r.returncode == 0
        except Exception:
            return False
Confidence
99% confidence
Finding
r = subprocess.run(ssh_cmd, shell=True, capture_output=True, timeout=15)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The generated worker runs Claude with `--permission-mode bypassPermissions`, explicitly disabling safety gates while consuming prompts from a Redis queue. In the context of a remote dispatch skill, this creates a highly dangerous unaudited remote agent that can perform destructive actions on the target machine based solely on queued prompt content.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script makes broad SSH and shell-environment changes on the target machine that exceed the stated purpose of dispatching Claude Code commands. This mismatch increases risk because users invoking a remote-dispatch skill may not expect persistent workstation reconfiguration and remote state changes.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The file implements SSH hardening and environment setup rather than the manifest-described three-channel remote dispatch flow. Such capability drift is risky in agent skills because it hides additional power and persistence behind a different advertised purpose.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The screen fallback runs the provided prompt directly inside a remote shell, which is much broader than submitting work to Claude Code. In this skill context, that mismatch is especially dangerous because users may believe they are invoking a bounded coding agent while actually granting arbitrary remote command execution.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This code exposes a general-purpose remote shell capability via SSH screen that is not necessary for the stated feature of dispatching Claude Code tasks. The hidden expansion of scope from 'remote Claude tasking' to arbitrary shell execution materially increases the chance of destructive commands, persistence, data theft, or lateral movement on the remote machine.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad and loosely scoped, including generic ideas like 'remote execute' or 'send to Claude Code.' In a skill that performs remote command dispatch and system management, ambiguous triggering raises the chance of unintended invocation leading to accidental actions on remote hosts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown describes remote execution, queue submission, SSH process control, and deployment behavior without an explicit warning that these actions can alter remote systems and create persistent services. In this context, missing impact warnings materially increases risk because users may not appreciate that invocation can start daemons, install packages, and change operational state on another machine.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script silently deploys a worker that executes in elevated `bypassPermissions` mode without any user-facing consent, warning, or confirmation. This is dangerous because operators may believe they are deploying ordinary remote execution while actually creating an unrestricted agent channel with much higher blast radius.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes remote files and modifies SSH configuration without any interactive confirmation, dry-run mode, or explicit warning that persistent system state will change. In an agent context, silent remote mutation can surprise users and make accidental or unsafe deployment more likely.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The subprocess wrappers trigger remote shell execution and local shell parsing without surfacing clear safety messaging or operator acknowledgment. In a remote-execution skill, lack of warnings materially increases the chance of unintended state changes and unsafe command dispatch.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code sends user-provided prompt content into a remote shell without any explicit warning, confirmation, or separation between natural-language tasking and shell command execution. That creates a dangerous expectation gap and increases the likelihood of accidental misuse even if no attacker is present.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal