ClawHub

Relay Workspace

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The plugin’s remote workspace file access is mostly disclosed and purpose-aligned, but its delete and path-boundary protections are weaker than the documentation claims.

Install only if you trust the Relay/Gateway environment and have backups of the workspace. Before using destructive operations, prefer a version that explicitly blocks deleting the workspace root and correctly handles symlinks or other paths that could escape the workspace.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
High
What this means

A Relay/Gateway caller could delete the entire agent workspace, not just an individual selected file or folder.

Why it was flagged

The delete handler only rejects an empty path. A truthy path such as '.' resolves to the workspace root, passes safePath, and is then recursively removed with force.

Skill content
if (!p) { ... } const absPath = safePath(workspaceRoot, p); ... await rm(absPath, { recursive: true, force: true });
Recommendation

Reject paths that resolve to the workspace root, avoid force-delete as the default, require explicit confirmation for recursive deletes, and consider trash/backup semantics.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

If the workspace contains a symlink to another location, a remote file operation may read or write outside the intended workspace boundary.

Why it was flagged

The boundary check is lexical and does not use realpath/lstat to reject symlink components before readFile, writeFile, readdir, or rm operate on the path.

Skill content
const resolved = resolve(workspaceRoot, cleaned); assertPathInside(resolved, workspaceRoot); return resolved;
Recommendation

Resolve real filesystem paths, reject symlink traversal where appropriate, validate parent directories for writes, and ensure the final real path remains under the workspace root.

#
ASI09: Human-Agent Trust Exploitation
Medium
What this means

Users may trust that the most destructive case is blocked when it is not actually enforced by the code.

Why it was flagged

This safety claim is not supported by the reviewed delete implementation, which lacks a root-path check before recursive rm.

Skill content
**Root deletion guard**: `workspace.delete` refuses to delete the workspace root directory.
Recommendation

Align the documentation and implementation: either add the root deletion guard or remove the claim until it is true.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

Anyone with effective access to the Gateway methods could view, change, or delete workspace files.

Why it was flagged

The plugin intentionally exposes workspace file contents and mutations over Gateway WebSocket RPC, so the security of connected Relay/Gateway clients matters.

Skill content
Relay's file explorer calls when connected to a remote gateway ... `workspace.read` ... `workspace.write` ... `workspace.delete`
Recommendation

Use this only with trusted Relay clients and a properly protected Gateway; do not expose the Gateway broadly.