ClawHub

vscode-tunnel

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it starts and manages a VS Code Remote Tunnel, which is powerful but disclosed and purpose-aligned.

Install this only if you intentionally want VS Code Remote Tunnel access to the current container. Treat the authorization code and logs as sensitive, use the intended Microsoft account, and run the provided stop/status commands when finished. Higher-security environments should consider whether downloading and executing the VS Code CLI at runtime is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to execute shell commands (`bash .../tunnel.sh`) but does not declare corresponding permissions. That mismatch is dangerous because it hides execution capability from reviewers and policy systems, while the command starts a VS Code Remote Tunnel that can expose remote terminal access into the container.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Trigger phrases like `connect vscode` and `vscode remote` are broad enough that the skill may activate unexpectedly during benign conversation. In this skill's context, accidental invocation is more dangerous than usual because activation leads toward establishing a remote access tunnel, not just a harmless lookup or formatting action.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description says the skill enables remote terminal access but does not prominently warn that starting the tunnel exposes the container for remote access via VS Code. This under-communicates the security impact, increasing the risk that a user or agent invokes it without understanding that it creates an externally reachable management channel.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script starts a VS Code remote tunnel and downloads/executes the CLI with no meaningful consent gate or warning about exposing the container for remote access. In this skill context, the tunnel is the core purpose, but that also makes the behavior security-sensitive: a user can unintentionally create persistent remote access into the environment and accept license terms automatically without understanding the exposure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal