Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
frp-tunnel
v1.0.0Share local development servers via self-hosted frp tunnel with custom domains and auto HTTPS. Use when you need to share localhost with others, demo to clie...
⭐ 0· 150·0 current·0 all-time
byJoey Luo@darwin7381
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (self-hosted frp tunnel) matches the actions in SKILL.md (install frps/frpc, Caddy, DNS). However the skill contains a hard-coded VPS IP (5.223.75.160) and wildcard domain (*.tunnel.fud.city) that appear to belong to the author, and the documentation instructs storing and using a Cloudflare API token and SSH key. The metadata declares no required env vars/credentials while the instructions clearly require them — an incoherence.
Instruction Scope
SKILL.md and setup-guide.md instruct many privileged operations: generating an SSH key with no passphrase, uploading that public key to Hetzner, giving the AI SSH access (explicitly 'recommend AI operate VPS'), storing CF_API_TOKEN in systemd unit, pushing frpc config to GitHub. These steps go beyond simple usage guidance and create broad access/credentialization opportunities that are not reflected in the skill manifest.
Install Mechanism
This is an instruction-only skill (no install spec). The concrete download commands reference standard release hosts (GitHub releases for frp and caddyserver.com for Caddy with plugin) which is expected for this setup. No arbitrary pastebin/shortener or unknown binaries are used.
Credentials
The instructions require sensitive secrets (Cloudflare API token for DNS-01 wildcard certs) and creation of an SSH key (explicitly suggested without passphrase) but the skill declares no required env vars or primary credential. The skill also encourages syncing frpc.toml to a (private) GitHub repo which could leak server addresses or other config. The requested credentials are reasonable for wildcard TLS, but their omission from metadata and the recommendation to create insecure keys is disproportionate and risky.
Persistence & Privilege
The skill is not marked always:true and has no code that would persist on the agent. However the guides explicitly recommend creating an unprotected SSH key for the AI to use and invite the AI to perform remote provisioning — if you follow that advice you could grant the agent (or any holder of that key) long-lived root access to your VPS. That operational recommendation increases blast radius if you allow autonomous agent actions.
What to consider before installing
This skill provides a plausible, detailed guide to deploy frp+Caddy, but it also (1) includes a hard-coded external VPS IP and domain you should NOT use as-is, (2) tells you to create an SSH key with no passphrase and to give the AI SSH access — avoid doing that, (3) instructs storing a Cloudflare API token in a systemd env and optionally pushing frpc.toml to GitHub — both can expose secrets. Before installing or following the guide: replace the VPS IP and domain with resources you control; never create passphrase-less keys for automated remote access or give an AI direct SSH access; scope Cloudflare tokens to the minimum permissions and prefer short-lived credentials; do not push sensitive config to remote repos unless you encrypt or audit them; consider running the VPS provisioning steps manually (or in your own controlled automation) rather than handing access to an agent.Like a lobster shell, security has layers — review code before you run it.
latestvk97a9kqnrefxer5pdyzcq5yyqh832j2m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.