ClawHub

Claude Local Bridge

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate local-file bridge concept, but its approval and audit controls are exposed without authentication while the documentation encourages tunnel/LAN use.

Install only if you will run it on localhost or behind strong private access controls. Do not expose this version through a public tunnel or LAN without adding authentication to all approval, audit, WebSocket, and MCP surfaces; rotate any printed/shared tokens and treat workspace roots as potentially writable by anyone who can reach the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill advertises file read, file write, and network-facing behavior but declares no permissions in the manifest, which creates a transparency and policy-enforcement gap. In an agent ecosystem, missing permission declarations can cause users or platform controls to underestimate the skill’s reach, especially for a bridge that exposes local repositories over an MCP endpoint.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The security section states that every file access requires human approval, but the documented browse_files tool is explicitly exempt and can enumerate the workspace tree without approval. This mismatch is dangerous because directory and filename metadata often contains sensitive information and the documentation may lead users to trust the system more than its actual controls justify.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The application prints the authentication token in the startup banner and fallback console output, exposing a secret to anyone who can view the terminal, shell history capture, logs, screenshots, or process supervision output. In a local bridge that gates file access with approvals, leaking the token undermines the intended access control because another local process or user could reuse it to call the API.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The user-facing approval endpoints for listing, deciding, and revoking approvals are exposed without any authentication or authorization checks. An attacker who can reach this service could enumerate pending approvals, approve requests on behalf of the user, or revoke existing approvals, directly undermining the security boundary this approval system is supposed to enforce.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The comment states that no token is needed only for localhost, but the handlers do not implement any localhost restriction. This creates a dangerous false assumption: operators may believe the endpoints are locally scoped while in reality any reachable client can access approval data and state-changing actions without authentication.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly recommends exposing the bridge through public tunneling solutions, including a quick-start Cloudflare Tunnel flow, but does not prominently warn that this service can grant read/write access to local files on the host. In this context, encouraging remote exposure of a file-system bridge materially increases the attack surface and may lead users to publish a sensitive service without understanding the consequences if auth, approval flows, or the dashboard are reachable by others.

Missing User Warnings

High
Confidence
99% confidence
Finding
The README documents multiple endpoints related to approvals, audit logs, and WebSocket notifications as requiring no authentication, while the same project is designed to be exposed over LAN, VPN, or public tunnels. If deployed as described, unauthenticated users could enumerate approval state, monitor sensitive file-access activity, and potentially approve, deny, or revoke requests, undermining the security boundary and enabling unauthorized file access workflows.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Printing the authentication token without warning increases the chance that operators unknowingly expose credentials through terminal recording, shared consoles, log collectors, or support screenshots. The surrounding skill context makes this more dangerous because this service also enables broad cross-origin access and exposes local code files, so token reuse could grant unauthorized access to sensitive workspace contents.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The dashboard stores the bearer token in localStorage, which is readable by any JavaScript executing in the page origin, including injected scripts, compromised dependencies, or malicious browser extensions with page access. In this skill context, that token appears to authorize sensitive approval, file-tree, audit, and status operations against a local bridge service, so theft could let an attacker monitor or manipulate local access decisions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code places the bearer token in the WebSocket URL query string, which can be exposed through browser history, logs, debugging tools, reverse proxies, crash reports, and server access logs. In this bridge skill, the token grants access to real-time approval events for a localhost service, so leakage could enable unauthorized connection to the local backend and abuse of sensitive file-access workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal