Silas Clash Proxy Manager
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent local Clash/Mihomo proxy-management skill, but users should notice that it installs an external proxy binary, stores proxy settings, and can change proxy routing modes.
Install only if you intend to manage a local Clash/Mihomo proxy. Verify the Mihomo download, protect subscription URLs and any API secret, consider enabling a controller secret on shared systems, and remember that global mode can route proxy-using traffic through the selected node until restored.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the downloaded binary or release source were compromised, the installed proxy program would run locally with the privileges granted by the user.
The skill documents a manual download and privileged installation of an external binary, but does not include checksum or signature verification.
curl -Lo /tmp/mihomo.gz https://github.com/MetaCubeX/mihomo/releases/download/v1.19.21/mihomo-linux-amd64-v1.19.21.gz ... sudo mv /tmp/mihomo /usr/local/bin/mihomo
Download only from the official Mihomo/MetaCubeX release page and verify checksums or signatures when available before installing.
Traffic from tools or applications using Clash may be routed through the selected proxy node while global mode is active.
The skill may change the local proxy mode to global as a fallback when external web tools fail; this is disclosed and purpose-aligned, but it changes network routing behavior.
第二次重试:如果还失败,切换 Clash 为 global 模式重试 ... 恢复:成功后切回 rule 模式
Confirm before using global mode on sensitive networks and verify that the mode is restored to rule or direct afterward.
Other local processes or users that can reach 127.0.0.1:9090 may be able to query or change the Clash controller if no secret is set.
The documented local controller is bound to localhost, but the guidance recommends leaving the API secret empty, which weakens the local access boundary.
external-controller: 127.0.0.1:9090 # secret: "你的密码" # 可选,建议空
On shared or untrusted machines, configure a controller secret and adjust API calls to include the required authorization.
If a non-empty API secret or sensitive proxy details are stored there, they may persist across sessions and should be treated as private configuration.
The skill suggests persisting proxy connection details and an API secret field in a memory file for later reuse.
将连接信息保存到 `memory/clash-config.json` ... "api_secret": ""
Keep the memory config file private, avoid storing unnecessary secrets, and remove or rotate any secret if the file is exposed.