by 安全扫描
OpenClaw
可疑
high confidenceThe skill's behavior matches its description, but the implementation has several inconsistencies and a real command-injection risk (it can execute parts of the provided command locally before sending it to tmux), and it doesn't declare required dependencies or match metadata.
评估建议
This skill appears to do what it says, but do not install it without review because of implementation issues: (1) it implicitly requires the 'tmux' binary but doesn't declare it; (2) handler.js constructs shell commands with only double-quote escaping, allowing shell interpolation (backticks/$(...)/$vars) to be executed by the local shell when execSync runs — that can execute payloads on the host outside tmux and prior to any user confirmation; (3) the dangerous-command check is simplistic and m...详细分析 ▾
ℹ 用途与能力
The skill's code implements the advertised behavior (runs commands in a tmux session named 'claw' and captures output). However the registry metadata and _meta.json ownerId values differ (possible repackaging) and the skill implicitly requires the 'tmux' binary but does not declare it in required binaries.
⚠ 指令范围
SKILL.md confines activity to the 'claw' tmux session and requires user confirmation for dangerous commands; the handler returns an error to force confirmation, which is coherent. However, sendCommand builds a shell string and only escapes double quotes — it does not prevent shell interpolation (backticks, $(...), $ expansion, etc.). Because execSync runs via the system shell, portions of the supplied command can be executed locally during the send-keys call (before being run inside tmux and before any user confirmation), which contradicts the 'never touch any other session' / safe execution intent. The dangerous-command detection is simple and can be bypassed for commands that do harmful things but don't contain the tracked keywords.
✓ 安装机制
No install spec (instruction-only with an included handler.js). Low install risk. Note: runtime depends on Node and tmux being present but tmux is not declared.
✓ 凭证需求
The skill requests no environment variables or secrets, which is proportionate to its stated purpose.
✓ 持久化与权限
always is false and the skill does not request elevated platform privileges or modify other skills' configuration. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
安装前注意事项
- it implicitly requires the 'tmux' binary but doesn't declare it; (
- handler.js constructs shell commands with only double-quote escaping, allowing shell interpolation (backticks/$(...)/$vars) to be executed by the local shell when execSync runs — that can execute payloads on the host outside tmux and prior to any user confirmation; (
- the dangerous-command check is simplistic and may miss other harmful inputs; and (
- the ownerId in _meta.json doesn't match the registry metadata (possible repackaging). If you plan to use this skill: run it in a safe/test environment first, ask the author to (a) declare tmux as a required binary, (b) fix sendCommand to avoid shell interpretation (use execFile/spawn with args or properly escape/disable shell evaluation), and (c) strengthen dangerous-command detection or enforce an explicit prompt/approval step before any local execution. If you cannot validate those fixes, treat the skill as untrusted and avoid using it on production or sensitive machines.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/4
Initial release of claw-shell: - Runs shell commands exclusively inside a dedicated tmux session named "claw". - Captures and returns output from commands run in the session. - Ensures safety by restricting dangerous commands (e.g., sudo, rm, reboot) unless explicit user confirmation is received. - Provides a clear interface for running commands and handling approval for risky actions.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install claw-shell-1-0-0
镜像加速npx clawhub@latest install claw-shell-1-0-0 --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制