Skillv1.0.0

ClawScan security

minecraft-bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 5:25 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's code and dependencies largely match its stated purpose (a local Mineflayer HTTP bridge), but there are a few mismatches and exposure risks you should verify before installing or running it.
Guidance: This skill appears to implement what it claims (a local Mineflayer HTTP bridge) but check a few things before installing or running it: 1) Verify the bridge binds only to localhost (127.0.0.1). If bridge-server.js calls server.listen(port) without a host, it may be reachable from the network — change it to server.listen(port, '127.0.0.1') or firewall it. 2) Confirm the environment-variables list: set MC_BRIDGE_PORT, MC_VERSION, and MC_AUTH as needed (these are referenced by the code/docs but not listed in metadata). 3) Be cautious with POST /command: it forwards arbitrary slash commands; do not run this against servers where the bot has operator privileges unless you trust commands being issued. 4) start.sh will run npm install locally; review the installed package versions and consider locking them (package-lock) or auditing packages before use. 5) Run the bridge under an unprivileged user, and avoid exposing the machine's network interface to untrusted networks. If you want me to, I can inspect the remainder of bridge-server.js (the truncated part) to confirm the server.listen call and any additional network or file operations.

Review Dimensions

Purpose & Capability: noteName, description, required binary (node), and npm packages (mineflayer, mineflayer-pathfinder, vec3) align with a Mineflayer-based local bridge. The skill's files (bridge-server.js, start/stop scripts, API docs) are consistent with its claimed functionality. Minor mismatch: SKILL metadata lists MC_HOST, MC_PORT, MC_BOT_USERNAME as required, but the runtime also expects other environment variables (MC_BRIDGE_PORT, MC_VERSION, MC_AUTH) documented in config.example.json and SKILL.md.
Instruction Scope: concernRuntime instructions focus on starting a local HTTP bridge and calling localhost endpoints (status, move, mine, chat, command, etc.), which is within scope. Concerns: (1) The documentation repeatedly states the bridge is intended for localhost only, but the code snippet does not show an explicit bind address — if bridge-server.js calls server.listen(port) without a host, Node will typically bind to all interfaces (0.0.0.0), exposing the API to the network. Verify the server bind address in the full source. (2) /command forwards arbitrary slash commands (with some commands blocked); this is necessary for usefulness but is a high-risk capability if the bot has elevated permissions — the README warns about this, which is good.
Install Mechanism: notestart.sh will run 'npm install mineflayer mineflayer-pathfinder vec3' in the skill directory if the dependencies are not present. Installing npm packages from the public registry is expected here but carries the usual supply-chain risk (moderate). The install is not downloading arbitrary archives or running code from unknown URLs — it's npm, which is traceable.
Credentials: concernThe declared required env vars (MC_HOST, MC_PORT, MC_BOT_USERNAME) are appropriate. However, the SKILL.md and config.example reference additional env vars (MC_BRIDGE_PORT, MC_VERSION, MC_AUTH) that are not listed in the metadata 'requires.env'. The skill does not request unrelated secrets (no API keys, AWS, etc.), which is good. Still: MC_AUTH may be used to select authentication mode (offline vs microsoft) — if you run against an authenticated server ensure you understand how credentials are supplied and that they are not being accidentally stored or transmitted.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills' configurations. It creates PID and log files under /tmp or XDG_RUNTIME_DIR and can install npm packages into the skill directory — this is normal for a local helper service. Autonomous invocation is allowed (default) but not combined with other high-risk factors here.