claude-code-wingman
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes arbitrary strings provided in the
--promptargument usingtmux send-keys. The lack of input validation or sanitization allows for potential command injection if a malicious prompt is provided to the orchestrator.\n- [COMMAND_EXECUTION]: Theauto-approver.shscript is designed to subvert the security model of the Claude Code CLI by automatically responding to "Do you trust" and "Do you want to proceed" prompts. This removes necessary human-in-the-loop verification for sensitive operations like file modification or shell command execution.\n- [CREDENTIALS_UNSAFE]: Thelib/send-notification.shscript reads sensitive configuration data, including webhook authentication tokens and phone numbers, from the user's home directory (~/.clawdbot/clawdbot.json).\n- [DATA_EXFILTRATION]: Themaster-monitor.shdaemon captures session output from the terminal pane and transmits it to a remote webhook via curl. This process can expose source code, environment details, or sensitive command output to a network endpoint.\n- [PROMPT_INJECTION]: TheSKILL.mdinstructions utilize high-priority markers such as "⚡ CRITICAL" and "IMMEDIATELY run" to influence the agent's behavior and ensure specific approval-related commands are prioritized over others.\n- [PROMPT_INJECTION]: Indirect Prompt Injection Surface\n - Ingestion points: User-provided task descriptions passed to the
--promptargument inclaude-wingman.sh.\n - Boundary markers: Absent; external content is sent directly to the interactive CLI session.\n
- Capability inventory: The skill manages a session with full command execution and file system access via the Claude Code tool.\n
- Sanitization: Absent; input is treated as literal keystrokes for the terminal session.
Audit Metadata