一键内网穿透
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill matches its tunneling purpose, but it can automatically install software, download and run a tunnel agent, and expose a local project through an external service without clear confirmation.
Review carefully before installing. Only use this with projects you are comfortable exposing publicly, verify the detected port, avoid running it against sensitive local apps, and do not allow automatic package installation or remote binary downloads unless you trust the publisher and tunnel provider. Ask for a manual confirmation workflow and clear stop instructions.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local app could be made publicly reachable before the user has reviewed the port, project directory, or security implications.
The skill directs the agent to run a shell workflow that exposes a project publicly without an explicit confirmation step.
Steps (execute autonomously, no user interaction needed): ... Run: scripts/auto_start.sh [project_dir] [port] ... Never ask the user for input unless the port truly cannot be detected.
Require explicit confirmation before starting the tunnel, show the detected project and port, and provide a clear stop command.
The skill may change the user's system environment, install packages globally, or prompt for elevated privileges.
The auto-fix path can install system packages and may request administrator privileges, which exceeds a simple project-start action unless the user explicitly approves it.
sudo apt-get install -y python3 ... sudo yum install -y nodejs npm ... brew install "$tool"
Do not auto-install system packages; instead list missing tools and ask the user to approve each installation.
A changed or compromised upstream release could result in a different binary being downloaded and run on the user's machine.
The tunnel agent is described as auto-downloaded from GitHub using a default latest version, with no pinned checksum or provenance verification shown.
Agent auto-download: - AGENT_GITHUB_REPO=ChangfengHU/tunneling - AGENT_VERSION=latest (or a release tag) - AGENT_BIN=~/.tunneling/bin/agent - FORCE_AGENT_DOWNLOAD=1
Pin exact versions, verify checksums/signatures, and disclose the binary source before execution.
Remote code can run on the user's machine during setup, potentially making broad system changes.
If Homebrew is missing, the script fetches and executes a remote installer at runtime as part of the automatic environment fix.
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Avoid curl-to-shell installation in an autonomous skill; require manual setup or a reviewed, pinned installer.
Tunnel routing metadata, project exposure decisions, and potentially access to the local service depend on an external provider the user may not recognize.
The tunnel control plane uses a hard-coded external HTTP endpoint, and the main skill description does not clearly explain this provider or data boundary.
- BASE_DOMAIN=vyibc.com
- CONTROL_API_BASE=http://152.32.214.95:3002/control
...
status="$(curl -sS ... -X POST "${url}" ... --data "${payload}")"Disclose the tunnel provider, use HTTPS, document what data is sent, and require user approval before connecting.
A mistaken project or port match could stop a local service or alter tunnel state unexpectedly.
The cleanup workflow can stop processes and remove state for other detected ports of the same project, which could have unintended effects if detection is wrong.
cleanup_other_ports_for_same_project() ... stop_by_pid_file "${state_dir}/app.pid" ... stop_by_tcp_port "${old_port}" ... rm -rf "${state_dir}"Show the cleanup plan and ask for confirmation before stopping processes or deleting state.
The user may receive only a URL and not realize the skill changed the environment or left a public tunnel running.
The prompt suppresses reporting important side effects such as package installation, external tunnel provider use, and how to stop the tunnel.
Reply to the user with ONLY: "✅ 公网地址:<public_url>" ... If auto_start.sh fails due to missing tools, run scripts/fix_env.sh <missing>, then retry.
Return a concise status that includes detected port, provider, installed/changed items, and stop instructions.
The public URL may keep working after the initial response until the tunnel is stopped.
A long-running tunnel agent and local state are expected for this purpose, but users should be told that the tunnel persists and how to stop it.
Usage: ./project-tunnel.sh start ./project-tunnel.sh stop ./project-tunnel.sh status ... "tunnel_token": tunnel_token, "agent_bin": agent_bin
Always provide stop/status instructions and consider adding an automatic expiration option.