Claude Local Bridge
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its local-repo bridge purpose, but important MCP and approval-control paths are not consistently authenticated, which is risky if exposed to a phone or tunnel.
Do not expose this bridge through Cloudflare Tunnel, Tailscale sharing, or any public interface as-is. If you use it, bind it to localhost, restrict CORS, add authentication to /mcp, /approvals, /audit, and /ws, and test secret-file exclusions before granting access to sensitive repositories.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the bridge is reachable through a tunnel or from a browser on the local machine, an unintended client may be able to invoke MCP file-access workflows.
The app permits wildcard browser origins and mounts the MCP server directly. No bearer-token dependency or local-only wrapper is shown for the /mcp sub-application, even though the MCP tools include file browsing, approval requests, reads, and writes.
allow_origins=["*"], # Lock down in production ... mcp_app = mcp_server.sse_app(); app.mount("/mcp", mcp_app)Require authentication on /mcp, restrict CORS to trusted dashboard origins, and only expose the bridge through authenticated tunnels or localhost-only access.
Anyone who can reach the bridge may be able to approve, deny, or revoke file-access approvals, undermining the promised human approval boundary.
Approval decision routes are explicitly left without token protection, but the code does not enforce that callers are actually localhost-only.
# User-facing (local dashboard, no token needed for localhost) ... @router.post("/{approval_id}/decide", response_model=Approval) async def decide_approval(...)Protect approval listing, decision, and revoke endpoints with bearer auth or a separate local-only dashboard token, and enforce origin/IP checks if they are intended to be localhost-only.
A reachable WebSocket client could observe approval traffic or submit approval decisions, exposing local file paths and affecting file-access permissions.
The WebSocket accepts a client before any authentication or origin validation is shown, then processes approval decisions from that client.
@router.websocket("/ws/approvals") async def ws_approvals(ws: WebSocket): await ws.accept() ... if msg.get("type") == "decide": ... _approval_svc.resolve(...)Authenticate WebSocket connections, validate origins, bind the dashboard channel to localhost or an authenticated tunnel, and reject unauthenticated decision messages.
Users may expose the bridge more broadly than is safe because the documented security posture is stronger than what the code enforces.
The security wording could lead users to trust remote exposure, but the source shows unauthenticated approval/WebSocket paths and an in-memory audit log rather than a durable full audit trail.
- Bearer token auth - Every file access requires human approval - Full audit trail ## Remote Access Use Tailscale ... Cloudflare Tunnel ... to access from your phone.
Update the documentation to clearly state the actual security boundaries, or implement the promised authentication, approval isolation, and durable audit behavior before recommending remote access.
Users may install dependencies or code that were not enforced or pinned by the registry metadata.
Manual cloning and dependency installation are expected for this server-style tool, but the registry lists no install spec, so users need to verify the repository and requirements themselves.
git clone https://github.com/suhteevah/claude-local-bridge.git ... pip install -r requirements.txt
Review the repository and requirements.txt before installing, prefer pinned dependency versions, and install in a virtual environment.