中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:2 days ago Rescan
20 /100
claude-bridge
Bridge to local Claude Code CLI - no API key required. Creates task files and shell scripts, then executes Claude Code locally via subprocess.
Legitimate Claude Code CLI bridge with no malicious behavior; minor documentation gaps around subprocess usage.
Skill Nameclaude-bridge
Duration48.2s
Enginepi
Safe to install
Add explicit subprocess.run() declaration to SKILL.md and consider using shlex.quote() for prompt escaping to prevent shell injection edge cases.

Findings 4 items

Severity Finding Location
Low
Shell script injection surface in create_task()
The create_task() function inserts the user prompt into a bash script with only double-quote escaping. Special shell characters like $() or backticks in the prompt could be evaluated as shell commands when the script is sourced.
claude -p "{prompt.replace('"', '\\"')}" --allowedTools "Read,Edit,Bash"
→ Use shlex.quote() for proper shell escaping or pass the prompt via environment variable instead of inline string interpolation.
 claude_bridge.py:54
Low
subprocess.run() not explicitly declared in SKILL.md
The SKILL.md describes the workflow (create task, execute, read results) but does not explicitly mention that subprocess.run() is used to execute bash scripts. While the implementation is transparent, this creates a doc-to-code gap.
No explicit mention of subprocess.run() or bash script execution
→ Add a 'Implementation Details' section to SKILL.md documenting the use of subprocess and shell scripts.
 SKILL.md:1
Info
Allowed tools restriction is a good security measure
The skill hardcodes --allowedTools 'Read,Edit,Bash' in all generated scripts, limiting Claude Code to only these three tools. This is a positive security design that prevents Claude Code from using more dangerous tools like WebFetch or Write.
--allowedTools "Read,Edit,Bash"
→ No action needed; this is a good security practice.
 claude_bridge.py:72
Info
Task execution scoped to local directories
All tasks are executed in the skill's own directory (claude-bridge), not arbitrary user-specified paths. The cd command in generated scripts points to the skill's home directory.
cd "{os.getcwd()}"
→ No action needed; this limits blast radius.
 claude_bridge.py:68
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned claude_bridge.py:54-69 writes task JSON and shell scripts to tasks/ directory
Shell WRITE WRITE ✓ Aligned claude_bridge.py:86-90 uses subprocess.run() to execute bash scripts
Network NONE NONE No direct network calls in claude_bridge.py; Claude Code CLI handles API calls s…
1 findings
🔗
Medium External URL 外部 URL
https://coding.dashscope.aliyuncs.com/apps/anthropic
results/analyze_claude_code_source.txt:4

File Tree

51 files · 47.0 KB · 1175 lines
Shell 13f · 370L Text 13f · 287L Python 1f · 252L Markdown 1f · 165L JSON 23f · 101L
├─ 📁 results
│ ├─ 📄 analyze_claude_code_source.txt Text 55L · 1.7 KB
│ ├─ 📋 analyze_commands_system.json JSON 1L · 69 B
│ ├─ 📄 analyze_commands_system.txt Text 34L · 1.8 KB
│ ├─ 📋 analyze_query_engine.json JSON 1L · 69 B
│ ├─ 📄 analyze_query_engine.txt Text 45L · 2.5 KB
│ ├─ 📋 analyze_tools_system.json JSON 1L · 69 B
│ ├─ 📄 analyze_tools_system.txt Text 33L · 1.8 KB
│ ├─ 📋 fix_db_cache_002.json JSON 1L · 69 B
│ ├─ 📄 fix_db_cache_002.txt Text 8L · 207 B
│ ├─ 📋 fix_db_kairos_001.json JSON 1L · 69 B
│ ├─ 📄 fix_db_kairos_001.txt Text 8L · 363 B
│ ├─ 📋 fix_db_memory_003.json JSON 1L · 69 B
│ ├─ 📄 fix_db_memory_003.txt Text 8L · 207 B
│ ├─ 📄 fix_web_ui_full_access.txt Text 16L · 742 B
│ ├─ 📋 fix_web_ui_missing_files.json JSON 1L · 69 B
│ ├─ 📄 fix_web_ui_missing_files.txt Text 1L · 79 B
│ ├─ 📋 manual_1775136627.json JSON 1L · 69 B
│ ├─ 📄 manual_1775136627.txt Text 1L · 51 B
│ ├─ 📋 manual_1775199172.json JSON 1L · 69 B
│ ├─ 📄 manual_1775199172.txt Text 43L · 1.9 KB
│ ├─ 📄 optimize_web_components.txt Text 27L · 1.0 KB
│ ├─ 📋 test_fix_001.json JSON 1L · 69 B
│ └─ 📄 test_fix_001.txt Text 8L · 235 B
├─ 📁 tasks
│ ├─ 📋 analyze_claude_code_source.json JSON 7L · 1.1 KB
│ ├─ 🔧 analyze_claude_code_source.sh Shell 54L · 1.6 KB
│ ├─ 📋 analyze_commands_system.json JSON 7L · 518 B
│ ├─ 🔧 analyze_commands_system.sh Shell 29L · 1.0 KB
│ ├─ 📋 analyze_query_engine.json JSON 7L · 540 B
│ ├─ 🔧 analyze_query_engine.sh Shell 29L · 1.0 KB
│ ├─ 📋 analyze_tools_system.json JSON 7L · 538 B
│ ├─ 🔧 analyze_tools_system.sh Shell 29L · 1.0 KB
│ ├─ 📋 fix_db_cache_002.json JSON 7L · 696 B
│ ├─ 🔧 fix_db_cache_002.sh Shell 31L · 1.1 KB
│ ├─ 📋 fix_db_kairos_001.json JSON 7L · 552 B
│ ├─ 🔧 fix_db_kairos_001.sh Shell 26L · 1.0 KB
│ ├─ 📋 fix_db_memory_003.json JSON 7L · 700 B
│ ├─ 🔧 fix_db_memory_003.sh Shell 32L · 1.2 KB
│ ├─ 📋 fix_web_ui_full_access.json JSON 7L · 843 B
│ ├─ 🔧 fix_web_ui_full_access.sh Shell 29L · 1.4 KB
│ ├─ 📋 fix_web_ui_missing_files.json JSON 7L · 868 B
│ ├─ 🔧 fix_web_ui_missing_files.sh Shell 34L · 1.4 KB
│ ├─ 📋 manual_1775136627.json JSON 7L · 426 B
│ ├─ 🔧 manual_1775136627.sh Shell 17L · 988 B
│ ├─ 📋 manual_1775199172.json JSON 7L · 484 B
│ ├─ 🔧 manual_1775199172.sh Shell 17L · 1.0 KB
│ ├─ 📋 optimize_web_components.json JSON 7L · 709 B
│ ├─ 🔧 optimize_web_components.sh Shell 26L · 1.2 KB
│ ├─ 📋 test_fix_001.json JSON 7L · 317 B
│ └─ 🔧 test_fix_001.sh Shell 17L · 765 B
├─ 🐍 claude_bridge.py Python 252L · 7.4 KB
└─ 📝 SKILL.md Markdown 165L · 3.5 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
python3 system stdlib No No external dependencies; uses only Python standard library (subprocess, json, os, time, pathlib)

Security Positives

✓ No credential harvesting: no access to ~/.ssh, ~/.aws, .env, or similar sensitive paths
✓ No data exfiltration: no POST requests to external IPs; all results stored locally
✓ No obfuscation techniques: no base64, eval(), or atob() patterns found
✓ Allowed tools restriction (Read,Edit,Bash only) limits Claude Code's capabilities
✓ Task execution is scoped to the skill's own directory
✓ No curl|bash or wget|sh remote script execution patterns
✓ No hidden instructions in HTML comments or other files
✓ Code is readable and straightforward with no suspicious patterns