Is claude-team safe?

The skill's documentation and best practices repeatedly instruct users to spawn Claude Code workers with skip_permissions: true, which maps to the --dangerously-skip-permissions flag. This disables all safety prompts in spawned sessions, meaning any code execution, file writes, or destructive operations happen without user confirmation. The best practices section frames this as required ('Workers need skip_permissions: true to write files') when in reality Claude Code can write files with normal permission grants.

assets/setup.sh installs a launchd plist into ~/Library/LaunchAgents/ that auto-starts on login. The plist is generated from com.claude-team.plist.template which is NOT included in the skill's audited files. This means the actual service configuration — what binary runs, with what arguments, what environment variables — cannot be verified. The script immediately loads and starts the service.

The skill runs an HTTP MCP server on port 8766 that accepts tool calls including spawn_workers. No authentication mechanism is documented. Any local process or user can send requests to this endpoint to spawn Claude Code sessions, potentially with skip_permissions enabled. Combined with the launchd auto-start, this service runs persistently in the background.

SKILL.md contains a prominent directive: 'NEVER make code changes directly. Always spawn workers for code changes.' This overrides the user's natural workflow and forces all code modifications through the skill's worker spawning system, which defaults to skip-permissions mode. This creates an opaque execution layer where the user has reduced visibility into what actions are being taken.

The architecture creates a privilege escalation chain: any local process can hit the unauthenticated HTTP endpoint → spawn Claude Code workers with --dangerously-skip-permissions → those workers can execute arbitrary code, read/write any user-accessible file, and make network requests without any user confirmation. This is especially concerning as a persistent background service.

The skill's documentation instructs users to embed Telegram bot tokens directly in crontab entries and shell profiles. While this is a documentation concern rather than active exfiltration, it normalizes poor credential hygiene that could lead to token exposure.

The skill references 'uv run python -m claude_team_mcp' as the actual server runtime, but this Python package is not included in the skill's files. The skill only contains SKILL.md documentation and a setup.sh script. The actual code that handles MCP tool calls, manages workers, and interacts with iTerm2 cannot be audited through this skill package.

The worker tracking system writes project paths, task descriptions, bead IDs, and timestamps to ~/.claude-team/memory/worker-tracking.json. While functional, this creates a persistent record of development activity that could be accessed by other processes.

Installation monitoring showed no unexpected network connections, no process spawning, no filesystem modifications outside the skill directory, and no firewall-blocked attempts. The filesystem events are consistent with normal system library loading.