ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cloudflare Open WebUI Tunnel Operator

Create and maintain a Cloudflare Tunnel for Open WebUI using a 1Password-managed API token, Docker runtime, and optional systemd persistence. 使用 1Password 管理...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 67 · 0 current installs · 0 all-time installs
by@grey0758
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The described functionality (Cloudflare tunnel for Open WebUI using a 1Password token, Docker, optional systemd) matches the instructions. However, the metadata declares no required binaries or credentials even though the runtime instructions call out `op` (1Password CLI), `docker compose`/`docker`, `cloudflared` and `systemctl`. The omission is an incoherence — the skill will require external CLIs and 1Password access to function.
Instruction Scope
The SKILL.md stays on-scope: it verifies local service health, uses 1Password as the secret source, creates the remote-managed tunnel, writes the tunnel runtime token to a local env file, and optionally creates a systemd unit. These actions are expected for the stated goal, but several instructions perform sensitive operations (persisting a runtime token to disk, enabling systemd units that may need 1Password access). The document explicitly prohibits revealing secrets, but it does instruct persistence of secret tokens to local files and writing back `account_id` into 1Password — both require careful access controls and explicit user consent.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not download or install third-party packages on its own. That lowers installation risk. The skill still depends on external binaries being present on the host (see purpose_capability note).
!
Credentials
The workflow requires access to 1Password items and will produce and persist a tunnel token locally; yet the skill metadata lists no required environment variables or primary credential. In real usage, `op` often requires a session environment (OP_SESSION_*) or service-account credentials; systemd may need its own auth mechanism or wrapper. The absence of declared env/credential requirements is a mismatch and increases the chance that an operator will misconfigure secrets or inadvertently expose persisted tokens. Writing runtime tokens to disk is proportionate to running cloudflared but is sensitive and should be documented with file-permission guidance and minimised lifetime.
Persistence & Privilege
The skill does not set always:true and is user-invocable only (normal). It suggests creating/enabling a systemd unit for persistence, which is reasonable for a long-running tunnel but raises privilege/attack-surface concerns: a systemd service that can access 1Password or a persisted env file must be carefully constrained (least privilege, file permissions, and service account separation). The skill does not provide explicit guidance for secure service configuration.
What to consider before installing
This skill appears to do what it claims, but it has some important gaps you should address before installing: 1) Confirm required CLIs are present: `op` (1Password CLI), `docker`/`docker compose`, `cloudflared`, and `systemctl` — the package metadata does not list them. 2) Understand 1Password access: decide whether you will use an interactive `op` session, an OP_SESSION_* token, or a service-account flow; grant the least privilege needed and test in a safe environment. 3) Protect persisted tokens: the workflow writes a tunnel runtime token to a local env file — ensure strict file permissions, minimal lifetime, and consider not persisting if you can avoid it. 4) Be cautious with systemd: if you enable a systemd unit that reads 1Password, ensure it uses an isolated service account or wrapper and cannot leak secrets to other processes. 5) Require explicit consent for writing back `account_id` to 1Password and log that action. 6) Ask the publisher to update metadata to declare required binaries and any expected environment variables or session requirements; that makes auditing and safe deployment easier.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
1passwordvk9745bpz8n1969pxa1yzf2h2sd8374pmcloudflarevk9745bpz8n1969pxa1yzf2h2sd8374pmlatestvk9745bpz8n1969pxa1yzf2h2sd8374pmopen-webuivk9745bpz8n1969pxa1yzf2h2sd8374pmsystemdvk9745bpz8n1969pxa1yzf2h2sd8374pmtunnelvk9745bpz8n1969pxa1yzf2h2sd8374pm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Cloudflare Open WebUI Tunnel Operator

Use this skill when Open WebUI should be exposed through a Cloudflare Tunnel and the Cloudflare API token is stored in 1Password. 当需要通过 Cloudflare Tunnel 暴露 Open WebUI,且 Cloudflare API token 保存在 1Password 中时,使用这个 skill。

Read First | 先读这些

  • {baseDir}/README.md
  • {baseDir}/WORKFLOW.md
  • {baseDir}/FAQ.md
  • {baseDir}/CHANGELOG.md

Primary Rule | 核心原则

Treat 1Password as the secret source, knowledge/ as the canonical documentation source, and ClawHub only as the distribution layer. 把 1Password 当作密钥来源,把 knowledge/ 当作规范文档来源,把 ClawHub 仅当作分发层。

Workflow | 执行流程

  1. confirm local Open WebUI health 确认本地 Open WebUI 健康
  2. confirm op can read the Cloudflare token 确认 op 能读取 Cloudflare token
  3. create or update the remote-managed tunnel and DNS 创建或更新 remote-managed tunnel 与 DNS
  4. write the runtime tunnel token to a local env file 把运行态 tunnel token 写入本地 env 文件
  5. start cloudflared with Docker 用 Docker 启动 cloudflared
  6. persist the tunnel with systemd if reboots must survive 如果需要跨重启持久化,用 systemd
  7. verify both local and public URLs 验证本地与公网 URL
  8. backfill account_id in 1Password if it was inferred 如果 account_id 是推断得到的,回填到 1Password

Strong Heuristics | 强判断规则

  • if the local Open WebUI is down, do not debug Cloudflare first
  • if the 1Password item lacks account_id, derive it once and write it back
  • if systemd cannot authenticate to 1Password, check whether it is calling the wrong op binary
  • if the public URL returns 502, check origin readiness before changing tunnel config
  • use a hostname derived from project meaning, not the machine hostname

中文解释:

  • 本地 Open WebUI 没起来,就不要先查 Cloudflare。
  • 1Password 缺 account_id 时,可先推断一次,再回填。
  • systemd 认证不到 1Password 时,优先检查它是否调用了错误的 op
  • 公网返回 502 时,先检查 origin 是否就绪,不要先改 tunnel 配置。
  • 域名应按项目语义命名,不要按机器名命名。

Safe Commands | 安全命令

op whoami
docker compose ps
curl -I http://localhost:3301
curl -I https://your-hostname.example.com
systemctl status --no-pager your-tunnel.service

Response Format | 输出格式

Always return: 始终返回:

  1. current workflow status
  2. missing artifacts
  3. next single best action
  4. verification after that

Constraints | 约束

  • do not reveal secret values from 1Password, .env, or runtime env files
  • do not publish machine-specific tokens or raw transcripts
  • prefer self-contained docs and package content
  • keep the hostname and service mapping explicit

中文约束:

  • 不要泄露 1Password、.env 或运行态 env 文件中的密钥值。
  • 不要发布机器专属 token 或原始聊天记录。
  • 优先保持文档和 skill 包自包含。
  • 明确写清楚 hostname 和 origin service 的映射关系。

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…