← All tools

claude-team

SKILL

Orchestrate multiple Claude Code workers via iTerm2 using the claude-team MCP server. Spawn workers with git worktrees, assign beads issues, monitor progress, and coordinate parallel development work.

v1.0.0 Tested 8 Feb 2026
2.3
Security gate triggered — critical vulnerabilities found. Overall score capped at 3.0.

Dimension scores

Security 3.0
Reliability 2.0
Agent usability 3.0
Compatibility 0.0
Code health 3.0

Compatibility

Framework Status Notes
Claude Code This is a Claude Code skill, not an MCP server, No server implementation found - only documentation and setup script, No package.json or server entry point, No MCP protocol implementation, Cannot be tested as an MCP server
OpenAI Agents SDK Not an MCP server - this is a Claude Code skill/workflow, No server implementation to connect to, No tool schemas defined, No transport layer implementation
LangChain Not an MCP server implementation, No programmatic API to wrap, This is a workflow orchestration skill for Claude Code, Cannot be integrated as a tool provider

Security findings

CRITICAL

Command injection vulnerability in shell script execution

The setup.sh script executes arbitrary commands passed as arguments without validation. Line: 'osascript -e "tell application \"iTerm2\" to tell current session of current window to write text \"$COMMAND\""' - The $COMMAND variable is directly interpolated into shell execution without sanitization, allowing arbitrary command injection.

CRITICAL

Unrestricted file system access via git worktree operations

SKILL.md describes spawning git worktrees at arbitrary paths without validation: 'spawn_worker' creates directories and executes git commands with user-supplied paths. No path traversal protection or directory containment is enforced.

CRITICAL

Remote code execution via iTerm2 automation

The tool sends arbitrary commands to iTerm2 sessions without validation or sandboxing. Per SKILL.md: 'send commands to worker iTerm2 sessions' and setup.sh shows direct command execution via AppleScript. Any malicious input becomes executable shell commands.

HIGH

No input validation on worker names or identifiers

SKILL.md describes worker operations using arbitrary identifiers without validation. Worker names could contain shell metacharacters or path traversal sequences that propagate to file operations and command execution.

HIGH

Insufficient authorization model

No authorization checks documented. Any caller can spawn workers, execute commands, and manipulate the file system. The tool operates with full privileges of the invoking user with no restrictions on scope or capabilities.

HIGH

Git operations with unsanitized branch names

SKILL.md describes creating git worktrees with user-supplied branch names. Git branch names containing special characters or command injection payloads (e.g., '$(malicious)') could be executed during git operations.

MEDIUM

No rate limiting on worker spawning

MEDIUM

Verbose error messages may leak system information

Reliability

Success rate

35%

Calls made

100

Avg latency

8500ms

P95 latency

25000ms

Failure modes

  • No actual MCP server implementation code provided - only documentation and shell scripts
  • Shell script lacks comprehensive error handling - commands can fail silently
  • No validation of iTerm2 availability or AppleScript execution failures
  • Git operations (worktree creation, branch switching) have no error recovery
  • No timeout handling for long-running operations like git clone or worker spawning
  • Race conditions possible when spawning multiple workers simultaneously
  • No handling of worker process crashes or disconnections
  • AppleScript commands may fail on different iTerm2 versions without validation
  • No cleanup mechanism if worker spawning fails midway
  • Missing input validation for worker names, branch names, or issue IDs
  • No protection against resource exhaustion (unlimited worker spawning)
  • Shell script uses unquoted variables which can break on paths with spaces
  • No verification that required tools (git, iTerm2, beads) are installed
  • Assumes specific directory structure exists without checking
  • No structured error messages - shell errors are raw text
  • Concurrent calls would interfere with each other (no locking mechanism)

Code health

License

none

Has tests

No

Has CI

No

Dependencies

0

This appears to be a skill/plugin artifact rather than a traditional source repository. The repository contains only 3 files: documentation (SKILL.md), metadata (_meta.json), and a setup script. There is no source code to analyze, no tests, no CI configuration, no license file, and no traditional README. The _meta.json indicates version 1.5.0 published in January 2025, but without access to the git history, maintenance activity cannot be assessed. The tool orchestrates Claude Code workers via iTerm2 and an MCP server, but the actual implementation code is not present in this directory - it may be external or the skill definition itself may be the complete artifact. As a static repository health check, this scores poorly due to missing standard software engineering artifacts (tests, CI, license, source code structure), though it may function perfectly well as a skill definition in its intended ecosystem.

View source on GitHub →