ClawHub

Rustunnel

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate tunneling purpose, but it under-scopes the risk of exposing local services publicly and reusing a stored access token.

Review before installing. Only use this skill if you are comfortable with an agent reading a rustunnel token from ~/.rustunnel/config.yml and creating public tunnels to local ports. Confirm the exact port and protocol each time, avoid exposing databases or admin interfaces unless they are separately secured, close tunnels promptly, and rotate or remove the stored token when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly tells the agent to read a persistent auth token from ~/.rustunnel/config.yml and reuse it in subsequent tool calls. That creates a sensitive-secret handling risk because the agent is encouraged to access stored credentials and pass them around without requiring fresh consent, minimizing exposure, or warning the user that the token is sensitive.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill's core purpose is exposing local HTTP/TCP services to a public URL, but it does not give a strong, prominent warning that this can publish development servers, databases, admin panels, or other local-only services to the internet. In practice, that can lead to accidental external exposure of sensitive systems or data if the wrong port is tunneled.

Session Persistence

Medium
Category
Rogue Agent
Content
1. **Check if config file exists:** `~/.rustunnel/config.yml`
2. **If not, ask user:** "What's your rustunnel auth token and server address?"
3. **Create config file directly:**
   ```bash
   mkdir -p ~/.rustunnel
   chmod 700 ~/.rustunnel
Confidence
89% confidence
Finding
Create config file directly:** ```bash mkdir -p ~/.rustunnel chmod 700 ~/.rustunnel ``` 4. **Write config with user's token:** ```yaml server: <user-provided-server> auth_token: <

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal