Is biosaylom/my-claw-shell safe?

The isDangerous() function performs substring matching against a seven-element list with space-padded patterns. 'rm' at the start of a command ('rm file'), shell substitution ('$(rm ...)'), backslash prefix ('\rm'), and entirely absent dangerous commands (curl|bash, wget|sh, shred, truncate, chown, chmod -R, python -c, perl -e, nc) all bypass the check silently and execute.

The skill grants the agent an unrestricted interactive shell via tmux with no output filtering, command logging, or rate limiting. A single tool call can read any file the user can access and pipe output to an external endpoint. No monitoring of what is sent over the tmux session exists in the skill itself.

Six canary files were opened and read during the monitoring period. The first batch (audit events 255-260, ts 1771733662.979) predates the git clone and is attributable to sudo/PAM session setup. The second batch (audit events 1413-1418, ts 1771733682.772) occurs after skill installation is complete and has no clear EXECVE ancestor in the provided auditd logs, making attribution ambiguous. The canary integrity system reports no modification or exfiltration.

The canary files were read after skill installation. While the integrity checker reports content intact, the reads occurred and no exfiltration channel other than file modification is monitored by the canary system. DNS-based exfiltration, timing channels, or reads of in-memory values would not be detected.

sendCommand() interpolates the user-supplied command string into a tmux send-keys shell invocation after only escaping double-quote characters. Backticks, $(), semicolons, pipe characters, and single quotes pass through unescaped. If the host agent is manipulated via prompt injection to pass a crafted command string, injection into the shell context is straightforward.

SKILL.md's SAFETY section explicitly states dangerous commands are blocked and users will be asked for confirmation before execution. The handler.js implementation enforces a weak and bypassed version of this policy. Operators reading the SKILL.md documentation will believe stronger safeguards are in place than actually exist, potentially deploying this skill in contexts where they would otherwise require additional authorization controls.

Because this skill executes arbitrary shell commands, any successful prompt injection against the host agent (via a malicious URL, document, or web page the agent browses) can chain through this skill to achieve full shell access. Combined with a web fetch or file browser skill, a single agentic turn can read credentials and exfiltrate them. The skill provides no defense-in-depth against such chaining.

The tmux session named 'claw' persists indefinitely between tool invocations and across agent restarts. Any other process or user session on the host can attach to, observe output from, or inject keystrokes into this session using 'tmux attach -t claw'. If multiple agent instances run on the same host they share this session without isolation.

After sending a command to tmux, handler.js waits exactly 500ms before capturing output. Long-running commands return partial or no output; fast commands with large output may be captured incorrectly. This design flaw could lead to the agent misreading command results and taking incorrect follow-up actions.

Installation contacted only github.com (140.82.121.3:443) via HTTPS for the git clone. No new listeners were opened post-install, no filesystem changes occurred outside the designated skill directory, and no unexpected processes were spawned. Connection state before and after installation is identical aside from the SSH management session.