v3.2.7

Intranet

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:39 AM.

Analysis

This appears to be a legitimate local file server, but its instructions disagree about when plugin Python code can run, and it starts a persistent HTTP service.

GuidanceInstall only if you want a local HTTP server. Keep it bound to localhost by default, enable token auth and allowed_hosts before any LAN or tunnel exposure, leave CGI off unless you trust the code being run, and resolve the plugin CGI/hash documentation ambiguity before mounting plugin directories.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SETUP.md

If the plugin directory contains an executable `index.py`, it handles all sub-paths as CGI.

This setup guidance presents plugin CGI execution as based on an executable index.py, while SKILL.md separately claims plugin CGI requires a SHA-256 hash and that plugins without a hash are static-only. The inconsistency affects a code-execution security boundary.

User impactA user may misunderstand when plugin Python code can run, which could lead to exposing or executing plugin code under broader conditions than intended.

RecommendationBefore enabling plugins or CGI, verify the actual config requirements, keep CGI disabled unless needed, require hashes for plugin CGI, and only mount trusted plugin directories.

Unexpected Code Execution

SeverityMediumConfidenceHighStatusNote

SKILL.md

CGI Execution

**Off by default.** Enable in `config.json` ... only files named `index.py` can execute as CGI

Running local Python files as CGI is a disclosed, purpose-aligned feature, but it means HTTP requests can trigger local code execution when the user enables it.

User impactIf CGI is enabled, a request to the server may run trusted local Python code with the user's local permissions.

RecommendationLeave CGI disabled unless required, make CGI files executable only when intended, and use token authentication plus host allowlists if the server is reachable beyond localhost.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

python3 {baseDir}/scripts/intranet.py start --host 0.0.0.0            # LAN access (requires token + allowed_hosts)

The skill can bind to all network interfaces, which is expected for a web server but increases exposure if configured incorrectly.

User impactFiles and enabled CGI endpoints could become reachable from other machines if LAN binding is used.

RecommendationUse the default localhost binding unless remote access is necessary; when using 0.0.0.0, configure a strong token and a narrow allowed_hosts list.

Rogue Agents

SeverityLowConfidenceHighStatusNote

scripts/intranet.py

# Fork to background
    pid = os.fork()

The start command intentionally daemonizes the HTTP server and records its PID, so the service persists after the command returns.

User impactThe local web server can continue running and serving files until the user stops it.

RecommendationUse the provided status and stop commands to verify and terminate the server when it is no longer needed.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityLowConfidenceHighStatusNote

scripts/intranet.py

if token:
        config["token"] = token
    _write_config(config)

When token authentication is used, the bearer token is written into the workspace runtime configuration.

User impactAnyone who can read the workspace runtime/config files may be able to obtain the local server token.

RecommendationTreat the intranet config files as sensitive, avoid sharing the workspace with untrusted users, and rotate the token if it may have been exposed.