Clash Controller
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is mostly aligned with controlling Clash locally, but it hardcodes a controller secret and can change proxy routing in cases where the user may only be asking to view information.
Review carefully before installing. If you use it, replace the hardcoded controller secret with your own private configuration, avoid enabling LAN proxy access unless you need it, and confirm proxy-changing actions explicitly.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant could change your active proxy route when you intended only to inspect available nodes or ask an ambiguous question.
The switch-node condition matches any command containing “节点” before the node-list condition, so a request for a node list can perform a proxy-changing PUT request instead of a read-only list operation.
if (args.includes('切换') || args.includes('换') || args.includes('节点')) { ... await request('/proxies/GLOBAL', 'PUT', { name: '自动选择' }); ... }
if (args.includes('节点') || args.includes('list') || args.includes('列表')) {Require explicit user intent for write actions, check read-only commands before mutation commands, and avoid broad single-character or generic substring triggers for proxy changes.
To make the skill work, a user may need to configure Clash with a publicly visible shared secret, which weakens access control for the local controller.
The skill embeds a fixed Bearer token for the Clash controller instead of obtaining a user-provided secret through declared configuration or environment variables.
const secret = 'ff62c2da-1504-446b-986f-f13ba034e8a5'; ... 'Authorization': `Bearer ${secret}`Remove the hardcoded secret, declare the credential requirement in metadata, and read the controller secret from a user-controlled config or environment variable.
Other devices on the same network may be able to use the user's proxy if Clash is configured this way.
The documentation recommends enabling LAN access, which can expose the proxy service to other devices on the local network, but it does not explain that security tradeoff and it is not clearly needed for a localhost controller.
allow-lan: true
Do not enable LAN access unless the user explicitly needs it; document the exposure clearly and prefer `allow-lan: false` for local-only control.