← Back to Skills Marketplace
zlshiny

Claw Shell 1.0.0

by shiny · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
534
Downloads
0
Stars
11
Active Installs
1
Versions
Install in OpenClaw
/install claw-shell-1-0-0
Description
Runs shell commands exclusively inside tmux session 'claw', captures output, and requests confirmation for potentially destructive commands.
README (SKILL.md)

claw-shell

ALWAYS USES TMUX SESSION claw.

PURPOSE

  • RUN SHELL COMMANDS INSIDE TMUX SESSION claw
  • NEVER TOUCH ANY OTHER SESSION
  • READ OUTPUT BACK TO THE AGENT

INTERFACE

Tool: claw_shell_run

Inputs:

  • command (string, required): shell command to run inside session claw.

Behavior:

  1. Attach to tmux session claw (create it if missing: tmux new -s claw -d).
  2. Send the command followed by Enter.
  3. Capture the latest pane output.
  4. Return the captured output to the agent.

SAFETY

  • DO NOT RUN:
    • sudo
    • rm (without explicit user approval)
    • reboot, shutdown, or destructive system-level commands
  • IF THE COMMAND CONTAINS ANY OF THE ABOVE:
    • ASK USER FOR CONFIRMATION BEFORE EXECUTING.

EXAMPLES

  • SAFE:

    • ls -la
    • bird read https://x.com/...
    • git status

  • DANGEROUS (ASK FIRST):

    • rm -rf ...
    • docker system prune -a
    • chmod -R ...
Usage Guidance
This skill appears to do what it says, but do not install it without review because of implementation issues: (1) it implicitly requires the 'tmux' binary but doesn't declare it; (2) handler.js constructs shell commands with only double-quote escaping, allowing shell interpolation (backticks/$(...)/$vars) to be executed by the local shell when execSync runs — that can execute payloads on the host outside tmux and prior to any user confirmation; (3) the dangerous-command check is simplistic and may miss other harmful inputs; and (4) the ownerId in _meta.json doesn't match the registry metadata (possible repackaging). If you plan to use this skill: run it in a safe/test environment first, ask the author to (a) declare tmux as a required binary, (b) fix sendCommand to avoid shell interpretation (use execFile/spawn with args or properly escape/disable shell evaluation), and (c) strengthen dangerous-command detection or enforce an explicit prompt/approval step before any local execution. If you cannot validate those fixes, treat the skill as untrusted and avoid using it on production or sensitive machines.
Capability Analysis
Type: OpenClaw Skill Name: claw-shell-1-0-0 Version: 1.0.0 This skill is highly suspicious due to its core functionality of executing arbitrary shell commands via `execSync` in `handler.js`. It contains a critical shell injection vulnerability in the `sendCommand` function, where user-provided commands are passed directly to `tmux send-keys` without adequate shell-level sanitization, allowing for arbitrary command execution. Furthermore, the `isDangerous` function, intended as a safety mechanism, relies on an easily bypassable blacklist, which allows dangerous commands (e.g., `curl`, `wget`, `cat /etc/passwd`) to be executed without triggering the user confirmation prompt specified in `SKILL.md`, effectively bypassing the agent's safety instructions. The `readOutput` function also captures and returns the output of these commands, enabling potential data exfiltration.
Capability Assessment
Purpose & Capability
The skill's code implements the advertised behavior (runs commands in a tmux session named 'claw' and captures output). However the registry metadata and _meta.json ownerId values differ (possible repackaging) and the skill implicitly requires the 'tmux' binary but does not declare it in required binaries.
Instruction Scope
SKILL.md confines activity to the 'claw' tmux session and requires user confirmation for dangerous commands; the handler returns an error to force confirmation, which is coherent. However, sendCommand builds a shell string and only escapes double quotes — it does not prevent shell interpolation (backticks, $(...), $ expansion, etc.). Because execSync runs via the system shell, portions of the supplied command can be executed locally during the send-keys call (before being run inside tmux and before any user confirmation), which contradicts the 'never touch any other session' / safe execution intent. The dangerous-command detection is simple and can be bypassed for commands that do harmful things but don't contain the tracked keywords.
Install Mechanism
No install spec (instruction-only with an included handler.js). Low install risk. Note: runtime depends on Node and tmux being present but tmux is not declared.
Credentials
The skill requests no environment variables or secrets, which is proportionate to its stated purpose.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or modify other skills' configuration. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install claw-shell-1-0-0
  3. After installation, invoke the skill by name or use /claw-shell-1-0-0
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of claw-shell: - Runs shell commands exclusively inside a dedicated tmux session named "claw". - Captures and returns output from commands run in the session. - Ensures safety by restricting dangerous commands (e.g., sudo, rm, reboot) unless explicit user confirmation is received. - Provides a clear interface for running commands and handling approval for risky actions.
Metadata
Slug claw-shell-1-0-0
Version 1.0.0
License
All-time Installs 11
Active Installs 11
Total Versions 1
Frequently Asked Questions

What is Claw Shell 1.0.0?

Runs shell commands exclusively inside tmux session 'claw', captures output, and requests confirmation for potentially destructive commands. It is an AI Agent Skill for Claude Code / OpenClaw, with 534 downloads so far.

How do I install Claw Shell 1.0.0?

Run "/install claw-shell-1-0-0" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Claw Shell 1.0.0 free?

Yes, Claw Shell 1.0.0 is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Claw Shell 1.0.0 support?

Claw Shell 1.0.0 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Claw Shell 1.0.0?

It is built and maintained by shiny (@zlshiny); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments