ResmoteConsole
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do its advertised remote-console job, but it can expose a writable terminal and permission-bypassed coding agent over a remote HTTP tunnel, so it needs careful review before use.
Install only if you intentionally want to expose a remote browser terminal to your machine. Before using it, add strong authentication and network restrictions, avoid the `claude-bypass` command, use a restricted SSH account, and verify that the console and tunnel are fully stopped after each session.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the server port is reachable by others, they may be able to access an interactive terminal or CLI agent in the configured project.
The documented default starts a writable ttyd terminal and publishes it through a reverse SSH tunnel to an HTTP URL on the server. The provided artifacts do not show a ttyd password, HTTPS, firewall restriction, or per-client approval.
"options": "-W -t fontSize=16" ... "访问地址:http://{host}:{port}" ... "GatewayPorts yes" 和 "AllowTcpForwarding yes"Require authentication and transport protection before use, such as ttyd credentials, HTTPS, VPN or firewall allowlisting, and avoid public GatewayPorts unless the exposure is deliberately controlled.
A remote browser session could run Claude Code with normal approval safeguards disabled, allowing file and command actions to proceed automatically in the project.
The included configuration defines a Claude Code mode that disables permission checks and the sample project selects that mode. The SKILL.md warns about this, but shipping it as a ready project command creates a high-impact unsafe path.
"claude-bypass": "claude --dangerously-skip-permissions" ... "projects": { "项目名": { "path": "/path/to/project", "command": "claude-bypass" } }Use the standard `claude` command by default, remove the bypass preset from shared configuration, and require explicit user confirmation before ever launching a permission-bypassed agent.
Stopping this remote console could unexpectedly terminate unrelated ttyd sessions or other users' web terminals on the same machine.
The stop script kills every process whose name contains `ttyd`; it does not track the PID it started or verify that the process belongs to this skill, project, or port.
if proc.info['name'] and 'ttyd' in proc.info['name'].lower():
pid = proc.info['pid']
proc.kill()Track and stop only the PIDs launched by this skill, or match the full command line, working directory, and port before killing a process.
The remote access path may remain active until the user checks and stops it.
The skill intentionally starts the SSH tunnel as a background process with output suppressed. This is purpose-aligned for a remote console, but users should understand it can keep running after the initial agent task.
subprocess.Popen(
['nohup'] + ssh_args,
stdout=subprocess.DEVNULL,
stderr=subprocess.DEVNULL
)After each session, run the status and stop commands, and consider adding PID files or clearer lifecycle prompts.
A misconfigured or over-privileged SSH account could expose more of the server or local environment than intended.
The skill relies on the user's existing SSH alias/key setup to create the reverse tunnel. That is expected for this purpose, but it delegates access through a sensitive account credential.
SSH 密钥: 确保免密登录 `ssh {ssh_alias} echo test`Use a dedicated restricted SSH key/account for this tunnel, keep the server firewall limited, and avoid using highly privileged SSH credentials.
Future installs may receive a different psutil version than the one originally tested.
The dependency is specified with a floating lower bound rather than a fully pinned version. This is a common setup pattern and not suspicious by itself, but it reduces reproducibility.
psutil>=5.9.0
Install from trusted package indexes and consider pinning exact dependency versions for a stable deployment.