tunelo
v0.2.0Expose local services and files to the internet through a public HTTPS URL. Designed for AI agents — when you need to let a user preview files remotely, shar...
⭐ 0· 101·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and commands all line up: this skill's goal is to expose local services/files via a public HTTPS URL and the SKILL.md explains commands to do so. Required capabilities (network relay, ability to serve files) are consistent with the stated purpose.
Instruction Scope
The SKILL.md explicitly instructs the agent to run an installer via `curl -fsSL https://tunelo.net/install.sh | sh` and then to expose arbitrary local paths (e.g., `tunelo serve /path/to/files`). Running an opaque remote install script and exposing arbitrary local directories are both high-risk actions: the install script can execute arbitrary code on the host, and the tunneling commands can publish sensitive files if used incorrectly. The instructions do not provide a checksum, source repository, or details to verify the installer.
Install Mechanism
There is no install spec other than a curl|sh from tunelo.net — a single-file download-and-execute from an unverified domain. Per the scanning rules, this is a high-risk install pattern (arbitrary code and binaries will be written to disk). The domain is not a known, verifiable release host (e.g., GitHub releases, official distro repos) and no integrity verification is provided.
Credentials
The skill does not request environment variables, credentials, or config paths. That is proportional: exposing local services does not inherently require additional external credentials. However, the default behavior routes traffic through a third-party relay (tunelo.net), which implicitly gives that operator visibility into the endpoints you expose — a privacy/operational concern even though not expressed as credentials.
Persistence & Privilege
The install writes a persistent binary (claimed at /usr/local/bin/tunelo). Installing a binary is a persistent change and may require elevated permissions; this is not inherently malicious but is a meaningful system modification. The skill is not set to always:true and does not request platform-wide privileges otherwise.
What to consider before installing
Before installing or running this skill, consider the following: (1) do not run `curl | sh` from an unknown domain — request source code, a release page, and a cryptographic checksum (or install from a trusted package repository); (2) understand that exposing a directory or service publishes whatever is served — double-check paths to avoid leaking secrets, private keys, config files, or other sensitive data; (3) prefer using the `--local` option or a self-hosted relay (`--relay`) if you need testing without using a third-party relay; (4) if you must try it, run the installer and tunelo binary inside a disposable VM or container, or audit the install script first; (5) be cautious about allowing the agent to autonomously execute these install/run commands — require explicit user confirmation each time. If the publisher can supply a verifiable GitHub release, binary checksums, or an auditable install package, that would raise confidence and could change this assessment.Like a lobster shell, security has layers — review code before you run it.
latest
When to use tunelo
Use tunelo when the user needs to:
- Preview files remotely — "show me that PDF", "let me browse those files on my phone"
- Share a local dev server — "give me a link to your React app"
- Demo something to a colleague — "send me the URL so I can test it"
- Access localhost from another device — mobile testing, remote debugging
- Share a directory — project files, documents, media, datasets
Do NOT use tunelo when:
- The user only needs local access (use
python3 -m http.serverortunelo serve . --local) - The files are already hosted somewhere public
Install
curl -fsSL https://tunelo.net/install.sh | sh
If tunelo is not found after install, the binary is at /usr/local/bin/tunelo.
Commands
Expose a local HTTP service
tunelo http 3000 # Expose port 3000 → get public HTTPS URL
tunelo http 5173 # React/Vite dev server
tunelo http 8080 # Any local service
tunelo http 3000 --private # Require access code to visit
Serve files with web explorer
tunelo serve . # Current directory → public URL with file browser
tunelo serve ./dist # Specific directory
tunelo serve ~/Documents # Any path
tunelo serve . --local # Local-only preview (no tunnel, no public URL)
tunelo serve . -l -p 8000 # Local preview on port 8000
The file explorer runs in the browser — directory browsing, code syntax highlighting, markdown rendering, PDF viewer, image/video/audio playback, CSV/Excel tables. Everything is embedded in the binary, no dependencies.
Options
tunelo http <PORT> --relay my.server:4433 # Use a custom relay server
tunelo http <PORT> -H 192.168.1.100 # Forward to non-localhost
tunelo http <PORT> --private # Auto-generate access code
tunelo http <PORT> --code mysecret # Set specific access code
Default relay is tunelo.net:4433 (free public relay). Use --relay for self-hosted.
Typical agent workflows
User says "share these files with me"
tunelo serve /path/to/files
# Give the user the public URL from the output
User says "I want to see this on my phone"
# If there's a dev server running:
tunelo http 3000
# If it's just files:
tunelo serve .
User says "let my colleague test the API"
tunelo http 8080 --private
# Give them the Share URL (includes access code)
User says "preview this locally first"
tunelo serve ./dist --local
# Opens on http://localhost:3000, no public URL
How it works
Browser → HTTPS → Relay → QUIC tunnel → Client → localhost / file server
- Public HTTPS URL assigned automatically (random subdomain like
abc123.tunelo.net) - QUIC transport — encrypted, multiplexed, low latency
- Auto-reconnects if connection drops
- Session limit: tunnels expire after ~2 hours on the public relay
Comments
Loading comments...