ClawAudit verdict

TeamClaw

teamclawtest

28
🔴 Dangerous
Multiple critical issues — do not install without thorough manual review

Accesses credentials AND makes external network calls

TeamClaw scores 28/100 (Dangerous). It declares no permissions. 2 undeclared capabilities detected — the skill does more than its permissions suggest. 7 high-severity flags.

0
security
40
transparency
70
maintenance

What it does

These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.

Capability combination high

Accesses credentials AND makes external network calls — potential credential theft

LLM02 · ASI03

Permission integrity

Makes network requests but does not declare curl/wget in required binaries

network_out

Code accesses API keys/tokens but declares no environment variables

credential_access

Findings (18)

Pattern match high

HTTP request to bare IP address — common in malicious payloads

SKILL.md · code · http://127.0.0.1

Pattern match high

Possible hardcoded credential

scripts/launcher.py · prose · downgraded · TOKEN=", content, re.MULTILINE): content = re.sub(r

Pattern match high

Pipe-to-shell pattern (curl | sh) — supply chain attack vector

scripts/setup_env.sh · prose · downgraded · curl -LsSf https://astral.sh/uv/install.sh | sh

Pattern match high

Pipe to sh — executes piped content as shell commands

scripts/setup_env.sh · prose · downgraded · | sh

Pattern match high

Recursive delete from root or home — destructive command

src/mcp_commander.py · prose · downgraded · rm -rf /

Pattern match high

Accesses sensitive system files

src/mcp_commander.py · prose · downgraded · /etc/passwd

Pattern match medium

References webhook/callback URL

SKILL.md · code · callback_url

Pattern match medium

subprocess execution — runs system commands from Python

packaging/build.py · prose · downgraded · subprocess.run(

Pattern match medium

Data URI with base64 payload — may embed malicious content

src/mainagent.py · prose · downgraded · data:application/pdf;base64,

Pattern match medium

References sudo — requests elevated privileges

src/mcp_commander.py · prose · downgraded · sudo

Pattern match medium

Python asyncio subprocess — async shell execution

src/mcp_commander.py · prose · downgraded · asyncio.create_subprocess_shell(

Pattern match low

Python os.getenv — reads environment variable

chatbot/QQbot.py · prose · downgraded · os.getenv(

Pattern match low

Python aiohttp session — async network access

chatbot/QQbot.py · prose · downgraded · aiohttp.ClientSession

Pattern match low

Popular HTTP library — network access

oasis/scheduler.py · prose · downgraded · got

Pattern match low

Python urllib.request — network access

scripts/launcher.py · prose · downgraded · urllib.request

Pattern match low

Sets world-executable permissions

src/mcp_commander.py · prose · downgraded · chmod 777

Pattern match low

Changes file ownership

src/mcp_commander.py · prose · downgraded · chown

Pattern match low

Python os.environ.get — reads environment variable

src/mcp_commander.py · prose · downgraded · os.environ.get(

Why the tier is capped

Execution sink present in raw bytes (Hard Floor: class A/D/E). Final tier capped at Caution — cannot be lifted by any downgrade, example-payload opt-in, or allowlist.

Permissions & capabilities

No declared permissions — minimal attack surface.

credential_accessnetwork_innetwork_out
Check another skill Browse the registry Auditing your own skills or configs? Use the API