ClawHub

Cloudflare Agent Tunnel

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent and not deceptive, but it can publish an OpenClaw agent interface through a persistent root-run Cloudflare tunnel without clearly requiring access controls.

Install only if you intentionally want an OpenClaw agent reachable through a Cloudflare hostname. Before using it, confirm the exact domain and local port, enable Cloudflare Access or strong application-level authentication, protect the tunnel credentials, and know how to stop and disable the systemd service and remove the DNS route when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill instructs the agent to execute privileged shell commands such as adding APT repositories, installing packages, writing files under /etc, and managing systemd services, yet it declares no permissions. This mismatch can cause the skill to run with more capability than users expect, increasing the risk of unintended system modification or unsafe execution in environments that rely on explicit permission declarations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly runs the Cloudflare tunnel service as root and uses credentials stored under /root/.cloudflared. While this is a common quick-start pattern, it unnecessarily grants the tunnel process full system privileges and gives highly sensitive tunnel credentials root-owned placement without warning users about least-privilege alternatives; compromise of cloudflared or misconfiguration could expose broader host impact than necessary.

Session Persistence

Medium
Category
Rogue Agent
Content
EOF

systemctl daemon-reload
systemctl enable cloudflared-koda
systemctl start cloudflared-koda
systemctl is-active cloudflared-koda
```
Confidence
88% confidence
Finding
systemctl enable

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal