ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TunnelProxy

v1.0.5

TunnelProxy integration for AI agents. Enables network proxying, remote command execution, and bidirectional file transfer through user's local TunnelProxy s...

0· 41·0 current·0 all-time
by@turinfohlen
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, README, SKILL.md, and the three Python modules all implement the same feature set (PTY remote execution, HTTP file transfer, pip-download via remote). No unrelated credentials, binaries, or config paths are requested: the declared env vars (TUNNEL_HOST, ports, UPLOAD_MAGIC) match the implementation.
Instruction Scope
SKILL.md instructs the agent to execute arbitrary shell commands on the user's machine and to transfer arbitrary files (push/pull). That is exactly the skill's purpose, but it is inherently dangerous: the instructions allow full command execution and file access and advise exposing the service via frp for public access. There is no evidence of scope creep (it does not attempt to read unrelated system secrets or other skills' configs), but the permitted actions are powerful.
Install Mechanism
This is instruction-plus-scripts (no install spec). Requirements are just requests and pexpect (requirements.txt). No downloads from untrusted URLs or archive extraction are included in the skill bundle; files are local and readable for review.
Credentials
No required secret env variables are mandated by the registry metadata. The code uses optional env vars (TUNNEL_HOST, TUNNEL_PORT, TUNNEL_HTTP_PORT, TUNNEL_TIMEOUT, UPLOAD_MAGIC) which are appropriate for configuring a network proxy/tunnel. No unrelated tokens or cloud credentials are requested.
Persistence & Privilege
always is false and the skill is user-invocable and can be autonomously invoked (disable-model-invocation=false). Autonomous invocation is normal for skills, but combined with full remote-shell/file-access functionality this greatly increases risk — the user should be aware and restrict autonomous access if they cannot fully trust the agent.
Assessment
This skill is coherent (it does what it says) but grants full remote shell and file access to your machine. Only install/use it if you fully control and trust the agent. If you proceed: run TunnelProxy under a restricted user account, bind to 127.0.0.1 unless you intentionally expose it, use a strong UPLOAD_MAGIC and random high ports, firewall the service, review the included scripts before use, avoid exposing via public frp endpoints unless necessary, and consider disabling autonomous model invocation for this skill. If you are unsure, do not install it — use more limited mechanisms (e.g., controlled forward proxy or explicit file-share endpoints) instead.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Environment variables
TUNNEL_HOSTrequired
TUNNEL_PORTrequired
TUNNEL_HTTP_PORTrequired
TUNNEL_TIMEOUTrequired
UPLOAD_MAGICrequired
latestvk977v3984r48aa742rgdngsmz1856yr4
41downloads
0stars
6versions
Updated 8h ago
v1.0.5
MIT-0
@turinfohlen
latest
Download

🚇 Security Warning

This skill enables remote command execution and file transfer on your machine.

Before use:

  • Set TUNNEL_HOST=127.0.0.1 unless you intentionally expose the service
  • Use random high ports (49152-65535) for public exposure
  • Run TunnelProxy under a restricted user account
  • Review the included scripts before execution

Do NOT use with untrusted third-party Agent services.

TunnelProxy Skill

Overview

This skill enables AI agents running in cloud sandboxes to bypass network restrictions by utilizing the user's local TunnelProxy service. It provides:

Remote command execution via PTY Shell Bidirectional file transfer via HTTP interface Unrestricted network access through user's local connection

Quick Start

1. Initialize Connection

from tunnel_ops import TunnelOps

# Configure with user's TunnelProxy address
ops = TunnelOps(
    host="your-frp-server.example.com",      # or user's custom address
    pty_port=27417,              # PTY Shell port
    http_port=8080                # HTTP file server port
)

# Verify connectivity
if ops.check()["http"] and ops.check()["pty"]:
    print("Tunnel is ready")

if ops.check()["http"] and ops.check()["pty"]:
    print("Tunnel is ready")

2. Execute Remote Commands

# Run any command on user's machine
output = ops.run_remote("curl -s https://httpbin.org/ip")
print(f"Remote IP: {output}")

# Chain commands
ops.run_remote("cd /tmp && ls -la")

3. File Transfer

# Pull file from user device to sandbox
ops.pull_file("/path/on/remote/file.txt", "local_copy.txt")

# Push file from sandbox to user
ops.push_file("./result.tar.gz")

4. Fetch Remote Content

# Download via user's network
content = ops.fetch_url("https://arxiv.org/abs/2301.00001")

# Download files with progress
ops.fetch_url_to_file("https://example.com/large.zip", "./downloaded.zip")

5. Install Blocked Packages

# Download pip packages via user's network
local_tar = ops.pip_download("torch torchvision", target_dir="./packages")

API Reference

TunnelOps Class

MethodDescriptionParameters
check()Verify HTTP and PTY connectivityNone
run_remote(cmd, timeout)Execute shell commandcmd: str, timeout: int = 30
fetch_url(url, timeout)GET URL via remote curlurl: str, timeout: int = 30
fetch_url_to_file(url, path, timeout)Download URL to local fileurl, local_path, timeout
pull_file(remote, local)Download remote fileremote_path, local_path
push_file(local)Upload local file to remotelocal_path
pip_download(package, target_dir)Download pip packagepackage, target_dir

Environment Variables

VariableDefaultDescription
TUNNEL_HOSTfrp.freefrp.netTunnelProxy host
TUNNEL_PORT27417PTY Shell port
TUNNEL_HTTP_PORT8080HTTP file server port
TUNNEL_TIMEOUT30Default command timeout

Error Handling

try:
    output = ops.run_remote("long_running_command", timeout=60)
except socket.timeout:
    print("Command timed out - try increasing timeout")
except ConnectionRefusedError:
    print("TunnelProxy unreachable - check if service is running")

Security Notes

This skill grants the agent complete control over commands executed on the user's machine. Only use with:

  • Fully trusted AI agents you control
  • Users who understand the security implications
  • In environments with additional safeguards (firewalls, UPLOAD_MAGIC)

Low-Level Usage

For single command execution without the Python API:

echo '<invoke name="exec"><parameter name="command">pwd</parameter></invoke>' | python3 scripts/pty_exec.py

Or use scripts/http_transfer.py for file operations:

python3 scripts/http_transfer.py ping
python3 scripts/http_transfer.py upload /path/to/file

Comments

Loading comments...