ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claude Local Bridge

Secure MCP bridge enabling Claude on your phone to browse and edit local repos with real-time, human-approved file access and audit logging.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 511 · 0 current installs · 0 all-time installs
by@suhteevah
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md align in purpose: exposing a local, approval-gated file bridge for Claude. Nothing in the code asks for unrelated credentials or unusual system access. However, the SKILL.md claims 'Bearer token auth' as a security control but the registry metadata lists no required credentials or config, and several endpoints do not actually enforce that token—so the stated protections are overstated.
!
Instruction Scope
The runtime instructions tell users to expose the service to their phone using tunnels (Tailscale, Cloudflare Tunnel), but core server code exposes several unauthenticated interfaces: the WebSocket dashboard code (ws/approvals) contains no token check, the approval decision endpoints (POST /approvals/{id}/decide and DELETE /approvals/{id}) are implemented as 'user-facing' with no auth dependency, and the MCP SSE mount appears to accept tool calls without HTTP bearer checks. Those behaviours expand the scope beyond the claimed 'token-protected, approval-gated' model and create a risk if the service is reachable remotely.
Install Mechanism
No exotic install mechanism: SKILL.md and README instruct pip install -r requirements.txt and running the Python app. There are no downloads from ad-hoc URLs or packaged scripts in the manifest that would raise additional install risk.
Credentials
The skill declares no required environment variables or credentials (registry metadata), and BridgeConfig generates a random token by default. That is reasonable, but the SKILL.md claims bearer-token protection—because the token is internal/default and not declared as 'required', users may overlook securing it. The dashboard stores the token in localStorage; the WebSocket client uses a token query parameter while the server does not validate it—this mismatch reduces the effectiveness of the token.
Persistence & Privilege
The skill does not request persistent, always-on inclusion or escalate privileges. It runs as a local server process and keeps state in memory; no system-level changes, no 'always: true' flag, and no cross-skill configuration modifications are present.
What to consider before installing
This package implements an approval-gated local file bridge, but the implementation relies on 'local-only' assumptions that are fragile when you follow the SKILL.md advice to use tunnels (Tailscale / Cloudflare). Key issues to consider before installing or exposing this: - Unauthenticated endpoints: The WebSocket (/ws/approvals) and the user-facing approval decision endpoints do not enforce the bearer token in the provided code. If the HTTP server or MCP SSE is reachable from the network (e.g., via a tunnel), an attacker could connect, create approval requests, and also call the decision endpoints to grant themselves access. - MCP SSE authentication: The MCP tools are mounted and appear callable without going through FastAPI's bearer-token dependency. That means clients able to hit /mcp/sse may trigger file-access requests. The approval gating only protects access if the approver is truly local and the decision endpoints remain inaccessible remotely. - CORS / origin assumptions: The app sets allow_origins=["*"], which makes browser-based CSRF or cross-origin abuse easier if the service is reachable externally. The dashboard also stores tokens in localStorage which could be abused on a compromised client. Recommended actions to make this safer: - Do not expose the service to the public internet unless you harden it first. Keep it bound to 127.0.0.1 and use an authenticated tunnel that enforces access control. - Add server-side token checks for the WebSocket (validate the token on connect) and require authentication on approval decision endpoints (or restrict them to localhost via middleware). Ensure the MCP SSE layer requires the same bearer token or another authenticated channel. - Narrow CORS to only trusted origins (or remove it if not needed). - Consider per-request CSRF protections for browser-driven actions and avoid storing long-lived secrets in localStorage. - Review requirements.txt and run the code locally in a sandbox before using tunnels; confirm the token printed at startup and the dashboard token match and that all entrypoints validate it. Given these concrete mismatches between claimed protections and the code, treat this skill as suspicious until you or the author apply the hardening steps above or confirm an updated release that enforces auth on all external entry points.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk9736hce9s07jfxz6v76qcsvrx814ycx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Claude Local Bridge

Access your local repos from Claude on your phone. Secure MCP bridge server with approval gating.

What it does

Runs a local MCP server (over SSE) that gives Claude access to your files — but only after you explicitly approve each request from a real-time dashboard.

Tools

  • browse_files — List workspace file tree (no approval needed)
  • request_file_access — Request approval to read/write files (blocks until you decide)
  • read_file — Read an approved file's contents
  • write_file — Write to an approved file
  • list_approvals — See all current approvals
  • revoke_approval — Revoke access
  • view_audit_log — View access history

Quick Start

git clone https://github.com/suhteevah/claude-local-bridge.git
cd claude-local-bridge
pip install -r requirements.txt
python -m app.main --roots ~/projects

Then connect Claude to http://localhost:9120/mcp/sse

Security

  • Sandboxed to whitelisted directories only
  • Extension blocklist (.env, .pem, .key, etc.)
  • Path traversal prevention
  • Bearer token auth
  • Every file access requires human approval
  • Full audit trail

Remote Access

Use Tailscale (free), Cloudflare Tunnel (free), or NetBird (FOSS) to access from your phone. See tunnel.md.

Files

25 total
Select a file
Select a file to preview.

Comments

Loading comments…