ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Cloudflare Secure

v1.0.0

Securely expose an OpenClaw Gateway WebUI on a VPS via Cloudflare Zero Trust Access + Cloudflare Tunnel (cloudflared), including DNS cutover for custom hostnames and optional cleanup of Tailscale Serve.

0· 1.4k·4 current·5 all-time
by@jskoiz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality matches the name/description: it installs cloudflared, configures a tunnel, and manages Cloudflare DNS to point a hostname at the tunnel. However, the registry metadata claims no required environment variables while the SKILL.md and cf_dns.py require CLOUDFLARE_API_TOKEN — an incoherence between claim and actual requirements.
Instruction Scope
SKILL.md is prescriptive and stays on-topic: it instructs installing cloudflared, running a service install with a tunnel token, creating an Access app in the Zero Trust UI, and creating/upserting DNS records. The scripts will delete existing A/AAAA/CNAME records for a hostname (explicitly), which is disruptive but consistent with the stated 'DNS cutover' purpose. All network calls are to Cloudflare API or GitHub releases; no unexpected external endpoints are present.
Install Mechanism
install_cloudflared.sh downloads an official GitHub release .deb and installs it with dpkg. The source domain (github.com/cloudflare/cloudflared) is legitimate, but there is no checksum/signature verification in the script — this increases risk slightly compared with a verified package install.
!
Credentials
The code and documentation require CLOUDFLARE_API_TOKEN (and you must provide a tunnel token at runtime). The token requirement is appropriate for DNS edits and is scoped in the docs to least-privilege permissions, but the skill registry metadata incorrectly lists no required env vars. That mismatch is important: if you rely on registry metadata to decide whether to grant tokens, it understates the required credential access.
Persistence & Privilege
The skill does not request 'always: true'. The scripts enable a systemd service (cloudflared), which is expected for a tunnel. The skill does not modify other skills' configs or ask for system-wide agent settings beyond installing and enabling cloudflared.
What to consider before installing
Before installing, be aware of these points: - The SKILL.md and scripts require a CLOUDFLARE_API_TOKEN (and a separate cloudflared tunnel token) even though the registry metadata says none — do not rely solely on the registry summary when deciding to provide credentials. - Provide a token with the least-privilege permissions recommended (Zone:DNS:Edit + Zone:Zone:Read) and rotate/revoke it after use if appropriate. - The dns_point_hostname_to_tunnel.sh script will delete any existing A/AAAA/CNAME records for the hostname — back up DNS records or confirm you want that change before running. - install_cloudflared.sh downloads and installs a .deb from GitHub without checksum verification; consider verifying the release manually or installing cloudflared via your distro's package manager or a signed artifact if you need stronger supply-chain assurance. - The scripts require sudo (systemctl, dpkg) and assume amd64; verify target host architecture and run in a controlled environment first. - If you need higher assurance, review the cf_dns.py and shell scripts line-by-line, and test in a non-production environment. Ask the publisher to update the registry metadata to declare CLOUDFLARE_API_TOKEN as a required env var and to add checksum verification for the downloaded package.

Like a lobster shell, security has layers — review code before you run it.

accessvk9718xmney983akbsmb8p2f82s80pxh5cloudflarevk9718xmney983akbsmb8p2f82s80pxh5latestvk9718xmney983akbsmb8p2f82s80pxh5openclawvk9718xmney983akbsmb8p2f82s80pxh5securityvk9718xmney983akbsmb8p2f82s80pxh5tunnelvk9718xmney983akbsmb8p2f82s80pxh5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments