Skillv1.1.0

ClawScan security

Share Local Site · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 9:02 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files and instructions coherently implement a local-tunnel helper (ngrok, localhost.run, cloudflared); nothing requests unrelated secrets or installs unknown code.
Guidance: This skill appears to do what it says: open a public tunnel to a local dev server. Before using it, keep in mind: (1) tunnels expose whatever is served on the chosen port—do not share sensitive dashboards, internal APIs, or authentication-protected pages; (2) the guide includes options that reduce security (StrictHostKeyChecking=no for SSH and DANGEROUSLY_DISABLE_HOST_CHECK for dev servers) which make connections easier but lower safety—only use them if you understand the risk; (3) your ngrok authtoken is a secret—do not paste it into untrusted places; (4) localhost.run establishes an outbound SSH connection to a third party—if you have strict network or data policies, review that; (5) the helper script is small and interactive (prompts before continuing if no server is detected) and requires standard tools (ssh, curl, ngrok/cloudflared if selected). Finally, if you consider the recommended persistent-process skill, review that other skill separately before installing.

Review Dimensions

Purpose & Capability: okThe name/description (share a local dev server) align with the included SKILL.md and the helper script. The script and docs only invoke tunneling services (ssh to localhost.run, ngrok, cloudflared) and local checks; there are no unrelated credentials, binaries, or install actions.
Instruction Scope: noteInstructions direct the agent/user to run SSH/ngrok/cloudflared and to query local endpoints (e.g., localhost:4040). This is expected. Two potentially risky but coherent items are present: the SKILL.md shows a command that disables SSH host-key checking (StrictHostKeyChecking=no) for localhost.run, and it documents use of DANGEROUSLY_DISABLE_HOST_CHECK for some dev servers. Both are relevant to the task but reduce security if used carelessly; the skill does advise a pre-send checklist to verify the tunnel content before sharing.
Install Mechanism: okThis is instruction-only with a small helper script. There is no automatic installer, no downloads from arbitrary URLs, and no extracted archives. Suggested installs (brew, npm, or ngrok.com) are standard and optional; nothing in the package writes or executes third‑party code silently.
Credentials: okThe skill declares no environment variables or credentials. The only credential-like item referenced is the user's ngrok authtoken (documented as expected). No unrelated secrets or config paths are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request elevated persistence. It recommends (but does not require) installing a separate 'persistent-process' skill to keep tunnels running across agent restarts; that is a separate decision and not inherent privilege escalation in this package.