Private Bridge
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill transparently provides remote control of an OpenClaw node, but it grants broad remote execution/restart authority and its TLS safety claim is weakened by code that can use unencrypted WebSockets.
Install only if you deliberately want this relay and its token holders to have remote-control access to your OpenClaw node. Use a trusted wss:// relay, avoid http/ws configurations, protect and rotate AUTH_TOKEN, verify the package version/source, and restrict which workflows can be triggered remotely.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who controls the relay path or obtains the relay token may be able to make the OpenClaw node run prompts, trigger workflows, or restart.
Relay-provided messages directly invoke prompt execution, workflow execution, and process restart. The code does not show local confirmation, workflow allowlisting, or per-command authorization beyond being connected to the relay.
await this.runtime.executePrompt(prompt, ...); ... await this.runtime.restart(); ... await this.runtime.executeWorkflow(workflowId, params);
Treat the relay token and relay operator as admin-equivalent. Add role-scoped tokens, an allowlist for remotely callable workflows, audit logs, and explicit controls for disabling remote restart or requiring approval for high-impact actions.
If configured with a non-TLS relay URL, the auth token and relay traffic could be exposed or modified on the network.
The client permits an http:// relay URL to become an unencrypted ws:// WebSocket. The same socket is used to send the auth token, heartbeats, prompts, and response tokens.
url = url.replace(/^http:\/\//, "ws://");
Reject ws:// for non-localhost use, require wss:// by default, and make any insecure development mode explicit with warnings.
Users may believe the relay connection is always encrypted when the code allows an insecure configuration path.
This safety claim is stronger than the implementation: config.ts can convert http:// to ws://, allowing unencrypted WebSocket connections.
**TLS encrypted** — all WebSocket connections use `wss://` (TLS 1.2+)
Align the documentation and implementation by enforcing wss://, or clearly document when ws:// is allowed and what risks it creates.
A leaked or over-shared token could let someone impersonate or control the node through the relay.
The auth token is sent to the relay during the hello/auth handshake. This is expected for the stated relay purpose, but it is a sensitive credential that grants remote-control access.
token: this.config.auth_token
Store the token securely, rotate it if exposed, use separate tokens per node, and only configure trusted relay servers.
The node may keep reconnecting to the relay and remain remotely controllable until the skill is shut down or disabled.
The skill automatically reconnects and sends recurring heartbeats. This persistence is disclosed and purpose-aligned, but it means remote access remains active in the background.
setTimeout(() => this.openSocket(), this.backoff); ... this.heartbeatTimer = setInterval(() => { this.send({ type: "heartbeat", data: this.buildHeartbeat() }); }, HEARTBEAT_INTERVAL);Disable the skill or call shutdown when remote access is not needed, and monitor heartbeat/connection logs.
Users may have difficulty confirming exactly which release they are installing or comparing it to the advertised repository.
The registry metadata reports version 1.0.2 and unknown source, while included clawhub.json and skill.json report version 1.0.1. This is a provenance/version-coherence issue, not direct evidence of malicious behavior.
Source: unknown ... Version: 1.0.2
Verify the package against the project repository or publisher, and align registry and packaged version metadata.