Remotego
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about its purpose, but it exposes arbitrary local terminal sessions through a public URL using an unreviewed npm tool, so it needs careful review before use.
Install or run this only if you intentionally want to share a terminal over the internet. Use a sandbox, container, or low-privilege account, keep the session URL private, avoid sensitive files and credentials, and stop the tunnel as soon as collaboration is finished.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used on a normal workstation, a shared terminal could let a remote participant run commands, inspect files, or interact with local tools in ways the user did not intend.
The skill exposes arbitrary commands, including shells and REPLs, through its remote terminal workflow rather than limiting the tool to a narrow, safer command set.
remotego <command> [command-args...] [options]
Use only with explicit user approval, prefer a disposable container or low-privilege account, and avoid exposing unrestricted shells or sensitive working directories.
Remote access to a shell can indirectly expose local credentials, SSH agents, environment variables, project files, cloud CLIs, and other privileges already available to the user.
Mirroring an interactive shell can give remote viewers or collaborators access to a terminal running under the local user's operating-system privileges.
Mirror bash | `remotego bash`
Run the tool only in an isolated account or sandbox with minimal credentials, and do not use it in directories or sessions containing secrets or privileged account access.
The package that creates the public terminal tunnel is not reviewable from the supplied artifacts, so users must trust external npm package contents and updates.
The reviewed artifact set contains only instructions, while the actual high-impact implementation is an external npm package installed globally or run via npx without a pinned version in the instructions.
npm install -g @remotego/remotego
Pin and verify the npm package version, review the package source before use, and avoid global installation where possible.
Anyone who obtains the session URL may be able to view or interact with sensitive terminal activity, and terminal data may traverse a third-party tunnel provider.
Terminal input and output are routed through a public tunnel service, and the documented access control is URL possession plus a short authentication window.
Creates a public tunnel via localhost.run
Treat the session URL as a secret, stop the tunnel immediately after use, avoid displaying secrets in the terminal, and prefer stronger authentication or private networking for sensitive work.