claw
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The installation process requires the user to execute shell commands that modify the system, including making scripts executable and creating symbolic links in the system PATH.\n- [COMMAND_EXECUTION]: The Python script uses subprocess.run and subprocess.Popen to invoke container runtimes (docker or container) and execute arbitrary container images, by default nanoclaw-agent:latest.\n- [COMMAND_EXECUTION]: The skill instructions advise users to modify their shell profiles (~/.zshrc or ~/.bashrc) to persist changes to the system PATH.\n- [CREDENTIALS_UNSAFE]: The script explicitly reads highly sensitive authentication tokens, such as CLAUDE_CODE_OAUTH_TOKEN, ANTHROPIC_API_KEY, and ANTHROPIC_AUTH_TOKEN, from the local .env file.\n- [DATA_EXFILTRATION]: The script reads sensitive local data, including the contents of the .env file and the ~/.claude directory, and transmits this data into a containerized environment via standard input.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by reading untrusted data from stdin or command-line arguments and interpolating it directly into the agent's prompt payload without sanitization or protective boundary markers.\n
- Ingestion points: Untrusted data enters the agent context via sys.stdin.read() and positional command-line arguments in the scripts/claw file.\n
- Boundary markers: No delimiters or instructions to ignore embedded commands are present in the prompt assembly logic.\n
- Capability inventory: The skill can execute shell commands through container runtimes using the subprocess module.\n
- Sanitization: There is no evidence of input validation, escaping, or sanitization of external content before it is processed by the agent.
Audit Metadata