Ogp Expose
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent, instruction-only guide for making OGP publicly reachable, with expected risks around public tunneling, provider login/token use, optional installs, and explicitly requested persistence.
Install or use this only if you intend to make your OGP daemon publicly reachable. Review any package or `sudo` install commands before running them, keep provider tokens private, verify that `gatewayUrl` matches the intended public endpoint, and avoid enabling persistent services unless you want a long-lived deployment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the tunnel can make the OGP daemon reachable from the public internet and affect federation behavior.
The skill intentionally exposes a local daemon through a public HTTPS tunnel. This is purpose-aligned, but it is a high-impact network action users should explicitly intend.
`ogp expose` can create a temporary public URL for your OGP daemon.
Only run the expose commands when you want public reachability, verify the public discovery card and `gatewayUrl`, and stop temporary tunnels when finished.
Tunnel provider credentials can create or manage public tunnel endpoints under the user's provider account.
The skill may require a provider credential for ngrok, and also documents `cloudflared tunnel login`. These credentials are expected for tunnel setup and are not shown being logged or sent elsewhere.
ngrok config add-authtoken <your-token>
Use official provider tools, avoid sharing tokens in chat or logs, and revoke provider tokens if they are no longer needed.
If the downloaded binary or package source is not what the user expects, it could affect the local system.
The documented Linux install path downloads the latest executable and installs it into a system binary path. This is user-directed and related to the skill, but it is unpinned installation of executable code.
wget https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64 sudo mv cloudflared-linux-amd64 /usr/local/bin/cloudflared sudo chmod +x /usr/local/bin/cloudflared
Prefer official package-manager instructions where possible, verify the download source/checksum, and review commands before using `sudo`.
If the user chooses the persistent setup, OGP may continue running beyond the current task or terminal session.
The skill acknowledges an optional persistent service path. It is disclosed and requires explicit user action, so this is a notice rather than a concern.
It installs no persistent services unless you explicitly run `ogp install` (which creates a LaunchAgent/systemd service and asks for confirmation first).
Use persistent service installation only for a permanent deployment, confirm prompts carefully, and know how to stop or uninstall the service.