Cloud-Local Bridge
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill appears to be a real cloud-to-local bridge, but it gives remote callers token-protected shell execution and broad local file access that are not tightly scoped.
Install only if you intentionally want a cloud or paired OpenClaw instance to control this local machine. Before use, bind it to localhost or a private VPN, avoid exposing it to the internet, run it as a low-privilege user, restrict commands and file paths, use strong per-device tokens, and review the complete untruncated package source.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can reach the service and obtain the token can run commands as the Bridge process, potentially changing local OpenClaw state or the host system.
The bridge listens on all interfaces by default and runs a request-supplied command through the shell after only a bearer-token check; no command allowlist or per-command approval is shown.
parser.add_argument('--host', type=str, default='0.0.0.0' ...)
...
result = subprocess.run(command, shell=True, capture_output=capture, text=True, timeout=timeout)Run only on localhost, a VPN, or an SSH tunnel; use a low-privilege OS user; avoid shell=True where possible; add command allowlists and require explicit human approval for high-impact commands.
A paired or token-holding remote side could read sensitive local files or overwrite files accessible to the Bridge process.
The file API accepts caller-supplied paths for upload, download, and read operations, with no visible directory boundary, path normalization, exclusion list, or separate read/write permission.
file_path = data.get('path', '')
...
with open(file_path, 'wb') as f:
f.write(file_content)
...
with open(file_path, 'rb') as f:
content = base64.b64encode(f.read()).decode('utf-8')
...
with open(file_path, 'r', encoding='utf-8') as f:
content = f.read()Restrict file operations to an explicit sync directory, block secrets and OpenClaw config/memory paths by default, validate paths, enforce file-size limits, and separate read and write permissions.
Pairing can effectively delegate powerful local-machine access to another device or user; if the pairing flow or token is exposed, the remote side can control the bridge.
The natural-language pairing handler stores and returns the Bridge bearer token, which is the credential that authorizes command execution and file access.
自动交换连接信息(服务器地址 + Token)
...
local_token = config.get('local', {}).get('token', '') if config else ''
...
'server': local_server,
'token': local_token
...
'partner_token': initiator_info.get('token', '')Make token sharing explicit in the user-facing pairing flow, use per-device scoped and revocable tokens, add rate limits and expiry, avoid sending tokens through chat channels, and provide a clear unpair/revoke workflow.
The installed dependency versions may change over time or be affected by package-index risk.
If the optional installer is run, it installs unpinned packages from pip. This is common setup behavior, but it adds supply-chain variability for a high-privilege bridge.
deps = ['requests', 'psutil'] ... subprocess.run([sys.executable, '-m', 'pip', 'install', dep], check=True)
Use a virtual environment, pin package versions and hashes, and publish a reviewed install spec or lockfile.
If left running after the intended task, the local machine remains controllable by anyone with network access and the token.
The bridge is intentionally a long-running service that keeps accepting requests until stopped. This is purpose-aligned but important because the service has high-impact authority.
server = BridgeServer((args.host, args.port), BridgeHandler, token=args.token) ... server.serve_forever()
Start the service only when needed, document how to stop it, firewall the port, rotate tokens after use, and monitor logs for unexpected requests.