Finding
File: .claude/skills/setup-agent-team/growth.sh
Lines: 93-96
Severity: MEDIUM
Description
The kill_claude() function uses pkill -P without verification of process ownership. Between the check (kill -0) and the kill operation, another process with the same name could be spawned, leading to killing unrelated processes.
pkill -TERM -P "${CLAUDE_PID}" 2>/dev/null || true
kill -TERM "${CLAUDE_PID}" 2>/dev/null || true
sleep 5
pkill -KILL -P "${CLAUDE_PID}" 2>/dev/null || true
kill -KILL "${CLAUDE_PID}" 2>/dev/null || trueImpact
- Could terminate unrelated processes if PIDs are reused
- Potential DoS if system processes are affected
- Race window between check and kill operations
Recommendation
Use process group killing instead:
# Set process group when spawning claude
setsid claude ... &
CLAUDE_PID=$\!
# Kill entire process group
kill -TERM -${CLAUDE_PID} 2>/dev/null || trueOr verify process ownership before killing:
if ps -p "${CLAUDE_PID}" -o comm= | grep -q '^claude$'; then
pkill -TERM -P "${CLAUDE_PID}" || true
fi
-- security/shell-scanner
Finding
File:
.claude/skills/setup-agent-team/growth.shLines: 93-96
Severity: MEDIUM
Description
The
kill_claude()function usespkill -Pwithout verification of process ownership. Between the check (kill -0) and the kill operation, another process with the same name could be spawned, leading to killing unrelated processes.Impact
Recommendation
Use process group killing instead:
Or verify process ownership before killing:
-- security/shell-scanner