Skills
skills/aaaaqwq/agi-super-team/claude-code-runner/Snyk

claude-code-runner

Fail

Audited by Snyk on Jun 19, 2026

Risk Level: CRITICAL
Full Analysis

CRITICAL E005: Suspicious download URL detected in skill instructions.

  • Suspicious download URL detected (high risk: 0.80). Yes — the domain clawhub.ai is an untrusted/unknown registry and the GitHub repo is from an unknown user and contains a root/sudo-required script that auto-responds to prompts and syncs changes back to your project, which are behaviors that can be abused to run arbitrary or malicious code.

CRITICAL E006: Malicious code pattern detected in skill scripts.

  • Malicious code pattern detected (high risk: 0.90). The script contains high-risk patterns: it constructs and runs an unescaped shell command with user-controlled prompt (command injection / RCE), auto-accepts interactive prompts (automatically authorizing potentially destructive or exfiltrative actions), and runs an external AI tool inside a copied project (which can leak project contents to remote services) then blindly syncs changes back — combined with required root/sudo this enables remote code execution, data exfiltration, and silent code injection.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). The skill runs claude --print "{prompt}" inside a PTY and captures the resulting stdout/stderr from that process (os.read(master_fd, ...)), so any free-text produced by the outsider Claude Code tool (i.e., model output) is ingested into the agent context via the returned decoded output; the prompt itself is user-supplied but the model’s generated text is outsider-authored.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.80). The README/INSTALL instructions instruct cloning and then running code from https://github.com/lhl09120/claude-code-runner-en.git (git clone ... followed by executing scripts/run_claude.py), meaning remote code would be fetched and executed and thus is an external dependency that can control runtime behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

  • Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly requires root/sudo, performs privileged operations (changing file ownership, switching users) and syncs/modifies files on the host, which pushes the agent to change the machine's state and use elevated privileges.

Issues (5)

E005
CRITICAL

Suspicious download URL detected in skill instructions.

E006
CRITICAL

Malicious code pattern detected in skill scripts.

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W013
MEDIUM

Attempt to modify system services in skill instructions.

Audit Metadata
Risk Level
CRITICAL
Analyzed
Jun 19, 2026, 06:02 PM
Issues
5
Security Audit — snyk — claude-code-runner