Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Workspace Explorer
v1.1.5Securely share your workspace with your owner via a remote VS Code environment. Use when (1) the owner requests to view or inspect your working files, (2) you need to give the owner live access to browse your codebase, (3) the owner wants to install extensions or use IDE features to explore files, or (4) you need a temporary secure tunnel for remote workspace inspection.
⭐ 4· 2k·7 current·8 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (share workspace via code-server + Cloudflare tunnel) match the instructions: clone the repo and run start_workspace.py which starts code-server and a Cloudflare tunnel. No unrelated credentials or unrelated binaries are requested.
Instruction Scope
The SKILL.md tells the agent to run a repo script that will serve an arbitrary filesystem path via code-server and expose a public URL/password. That behavior is exactly the feature, but it gives remote access to everything in the served directory (potentially secrets, tokens, keys). The instructions do not suggest limiting or sanitizing the workspace, nor do they instruct how to safely restrict access.
Install Mechanism
There is no install spec in the skill bundle; the runtime instructions tell the script to 'download binaries on first run' (code-server + cloudflared). Downloading and running binaries from the network at runtime has a high risk surface because those artifacts are not included or checksum-verified in the skill. The repo origin is given, but the agent would still fetch external executables.
Credentials
The skill requests no environment variables or credentials, which is appropriate. However, the action of exposing a directory can leak unrelated secrets (environment files, tokens, SSH keys) that live in the workspace — the skill doesn't provide guidance to avoid or scrub those before sharing.
Persistence & Privilege
always:false and no install spec — the skill is not forced into all sessions. The included HEARTBEAT.md describes periodic status checks when installed as a skill, which implies some ongoing agent activity (reminders) but not elevated platform privileges. Periodic checks increase the window in which a tunnel might be left open if not monitored.
What to consider before installing
This skill does what it says (creates a public browser VS Code to let someone inspect files), but that capability inherently lets a remote person see or edit anything in the served directory — including secrets. Before using: (1) inspect the GitHub repo yourself (start_workspace.py and any scripts it downloads) and prefer running it in an isolated environment (ephemeral VM or container); (2) only serve a directory that contains no credentials, tokens, SSH keys, or other sensitive files; (3) verify the sources and checksums of downloaded binaries (code-server, cloudflared) or install them from official package channels yourself instead of letting the script fetch them; (4) share the URL/password only over a trusted channel and terminate the session when done; (5) monitor logs/cloudflared.log and remove downloaded binaries when finished. If you cannot audit the remote script or binaries, treat this skill as risky and avoid running it on any machine containing sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk9780tm42ztg554wph1dyfjxb180fcvj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.