ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Tailscale

v1.0.0

Manage Tailscale tailnet via CLI and API. Use when the user asks to "check tailscale status", "list tailscale devices", "ping a device", "send file via tailscale", "tailscale funnel", "create auth key", "check who's online", or mentions Tailscale network management.

5· 4.2k·40 current·42 all-time
by@jmagar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (manage a Tailscale tailnet) align with the provided scripts and SKILL.md: local CLI commands and API operations (devices, keys, DNS, ACLs) are coherent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to run local tailscale CLI commands and the included ts-api.sh script for tailnet-wide tasks. That scope is appropriate, but the instructions reference a specific credential file (~/.clawdbot/credentials/tailscale/config.json) and environment variables (TS_API_KEY, TS_TAILNET) which are not declared in the registry metadata — an inconsistency that should be fixed. The skill does not instruct exfiltration to unknown endpoints; API calls target api.tailscale.com.
Install Mechanism
This is an instruction-only skill with one helper script; there is no install spec or remote download. No high-risk install behavior observed.
!
Credentials
The runtime script expects a Tailscale API key (TS_API_KEY) and optionally TS_TAILNET or a config file, but the registry metadata lists no required env vars or primary credential. Requesting an API key is proportionate to the skill's purpose, however the metadata omission is misleading and could lead to surprise when the agent attempts to read/store credentials.
Persistence & Privilege
always is false and the skill does not request permanent agent-wide presence or modify other skills. It runs normal network and CLI operations appropriate to its role.
What to consider before installing
This skill appears to do what it claims (control Tailscale locally and via the API), but the package metadata does not declare that it needs your Tailscale API key or a credentials file. Before installing or enabling the skill: - Verify the skill source/author (homepage unknown) and inspect the included scripts yourself (ts-api.sh is present and readable). - Only provide a Tailscale API key with the minimum required privileges; prefer creating an ephemeral or limited-scope key in the Tailscale Admin Console. - Store the key in the expected config file (~/.clawdbot/credentials/tailscale/config.json) or via TS_API_KEY, and avoid putting broader credentials in that location. - Ask the publisher to update registry metadata to declare TS_API_KEY (primary credential) and the config path so the requirements are explicit. If you cannot verify the publisher or are uncomfortable providing an API key, do not enable the tailnet-wide features; you can still use local CLI operations if the tailscale binary is present on the machine.

Like a lobster shell, security has layers — review code before you run it.

latestvk973gz0czbaf2mg23bsp2n29gs7zs5v0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments