ClawHub

TunnelProxy

Security checks across malware telemetry and agentic risk

Overview

This skill openly gives a cloud agent broad remote control over the user's computer and network, but it lacks strong built-in limits for such high-impact access.

Install only if you intentionally want a fully trusted agent to control your computer and network. Use an isolated VM or dedicated low-privilege account, bind to localhost unless public access is absolutely required, avoid workplace or internal networks unless explicitly authorized, use strong short-lived tokens, and review logs and commands closely.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (22)

Tainted flow: 'host' from os.environ.get (line 5, credential/environment) β†’ requests.post (network output)

Critical
Category
Data Flow
Content
token = os.environ.get("TUNNEL_AGENT_TOKEN")

# 1. θŽ·ε–δΈ΄ζ—Άη«―ε£
resp = requests.post(f"http://{host}:{http_port}/api/session", json={"token": token})
port = resp.json()["port"]

# 2. η«‹ε³θΏžζŽ₯
Confidence
97% confidence
Finding
resp = requests.post(f"http://{host}:{http_port}/api/session", json={"token": token})

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code retrieves a token from the environment, authenticates to a local/agent service, then opens a raw socket and sends a shell-like command (`ls -la`) with no stated legitimate need in the skill. This is remote command execution behavior and could be adapted to run arbitrary commands or probe the host through a tunnel.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The comment claims the script 'immediately connects' after obtaining a temporary port, but the implementation goes further and sends a command over the socket. That mismatch obscures the true behavior and makes the code more deceptive and harder to review, increasing the risk of hidden remote execution functionality.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The skill's invocation conditions are effectively 'use when sandbox lacks tools/network,' which is extremely broad for a capability that grants remote shell, file access, and proxying through the user's machine. In this context, underspecified triggering is dangerous because it encourages routine use of a remote-access backchannel for ordinary task completion, greatly increasing the chance of unauthorized command execution and data access.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The documentation explicitly instructs using the user's machine to access internal company resources, which turns the skill into a pivot point into private networks. This enables unauthorized access, exfiltration, and lateral movement using the user's trust boundary and network position.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest requires multiple sensitive environment variables, including an agent authentication token and upload verification token, but provides no activation constraints or trigger context limiting when this skill should run. A broadly invokable network-tunneling skill can increase exposure of these secrets or enable unintended proxying behavior if the platform allows loose routing or accidental invocation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README explicitly promotes giving AI the ability to run commands on the user's computer and acknowledges sensitive consequences such as Internet access via the user's IP, use of licensed software, and use of local compute resources, but it frames these as trust issues rather than clearly disclosing the concrete safety-critical capabilities: remote shell access, file serving, and file upload affecting confidentiality, integrity, and availability. This is dangerous because users may underestimate that the tool can expose local files, enable arbitrary command execution, and create a channel for data exfiltration or system misuse while the document normalizes broad access if the AI is 'trusted.'

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section provides concrete instructions to upload and execute a Python script on a remote system without any authorization, trust-boundary, or safety warning. In a skill context, actionable remote code execution guidance materially increases misuse risk because it lowers the barrier to operating on remote hosts and can be repurposed for unauthorized access or post-compromise actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explains how to register an agent, obtain a token, request a PTY session, and send commands over HTTP and sockets, but it does not warn that tokens and commands are sensitive credentials/operations. Because the examples use plaintext HTTP and privileged identity fields like username=root, readers may normalize insecure handling of authentication material and remote command channels.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly describes exposing a shell service over a TCP socket and then making it publicly reachable via FRP, but provides no authentication, authorization, encryption, or prominent warning about the risks. In practice, a publicly exposed command-execution interface can enable arbitrary remote code execution, data theft, lateral movement, and host compromise if deployed as documented.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script silently transmits an authentication token over the network without any disclosure, confirmation, or indication of where it is being sent. In this context, that is dangerous because the destination is configurable and the transport is unsecured HTTP, enabling credential leakage or misuse.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script opens a socket to a dynamically supplied port and sends a shell-like command without any user-facing warning or documented need. In skill context, this is highly suspicious because it enables covert remote command execution or host enumeration through a tunnel.

Ssd 3

High
Confidence
99% confidence
Finding
These sections provide plain-language operational guidance for remote command execution, file transfer, reverse proxying, and unrestricted network access via the user's host. The skill context makes this more dangerous, not less, because the entire stated purpose is to bypass sandbox restrictions and use the user's machine as a controllable execution and network relay surface.

Ssd 3

High
Confidence
99% confidence
Finding
The instructions tell the agent exactly how to browse directories, download arbitrary files, and upload data to the user's machine. This creates a clear path for unauthorized collection of local files and tampering with host contents, especially when combined with the skill's remote execution and network capabilities.

Ssd 3

High
Confidence
99% confidence
Finding
This guidance tells the agent to use the user's shell and network to fetch blocked content on its behalf, effectively bypassing sandbox policy and routing traffic through the user's identity and IP. That creates substantial risk of SSRF-style abuse, access to restricted services, download of malicious content, and use of the user's network for prohibited or illegal activity.

Ssd 3

Critical
Confidence
100% confidence
Finding
The use case explicitly directs the agent to reach internal company systems through the user's machine, which is a direct instruction for network pivoting into protected environments. In context, this is not an incidental risk but an advertised capability, making exploitation highly likely and impact potentially severe.

External Transmission

Medium
Category
Data Exfiltration
Content
token = os.environ.get("TUNNEL_AGENT_TOKEN")

# 1. θŽ·ε–δΈ΄ζ—Άη«―ε£
resp = requests.post(f"http://{host}:{http_port}/api/session", json={"token": token})
port = resp.json()["port"]

# 2. η«‹ε³θΏžζŽ₯
Confidence
88% confidence
Finding
requests.post(f"http://{host}:{http_port}/api/session", json=

Env Variable Harvesting

High
Category
Data Exfiltration
Content
host = os.environ.get("TUNNEL_HOST", "127.0.0.1")
http_port = os.environ.get("TUNNEL_HTTP_PORT", "8080")
token = os.environ.get("TUNNEL_AGENT_TOKEN")

# 1. θŽ·ε–δΈ΄ζ—Άη«―ε£
resp = requests.post(f"http://{host}:{http_port}/api/session", json={"token": token})
Confidence
86% confidence
Finding
os.environ.get("TUNNEL_AGENT_TOKEN

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
πŸš‡ Direct tunnel from Cloud Agent β†’ Local terminal

Grants AI Agents running in restricted cloud environments full control over your local computer.
β€” Bypass network restrictions, escape API sandboxes, execute arbitrary commands, and enable bidirectional file transfer.
env:
  - TUNNEL_HOST
Confidence
99% confidence
Finding
execute arbitrary commands

External Script Fetching

High
Category
Supply Chain
Content
The Agent will be able to:

- πŸ“ **Read, modify, or delete any file** on your hard drive (including private data, secrets, system files)
- πŸ’» **Execute any system command** (e.g., `rm -rf /`, `curl ... | sh`, install backdoors)
- 🌐 **Access any external service** through your network (including internal networks, public Internet, dark web)
- πŸ”Œ **Launch any software** installed on your computer (browser, editor, database client, etc.)
Confidence
95% confidence
Finding
curl ... | sh

Tool Parameter Abuse

High
Category
Tool Misuse
Content
The Agent will be able to:

- πŸ“ **Read, modify, or delete any file** on your hard drive (including private data, secrets, system files)
- πŸ’» **Execute any system command** (e.g., `rm -rf /`, `curl ... | sh`, install backdoors)
- 🌐 **Access any external service** through your network (including internal networks, public Internet, dark web)
- πŸ”Œ **Launch any software** installed on your computer (browser, editor, database client, etc.)
Confidence
97% confidence
Finding
rm -rf /

Tool Parameter Abuse

High
Category
Tool Misuse
Content
The Agent will be able to:

- πŸ“ **Read, modify, or delete any file** on your hard drive (including private data, secrets, system files)
- πŸ’» **Execute any system command** (e.g., `rm -rf /`, `curl ... | sh`, install backdoors)
- 🌐 **Access any external service** through your network (including internal networks, public Internet, dark web)
- πŸ”Œ **Launch any software** installed on your computer (browser, editor, database client, etc.)
Confidence
97% confidence
Finding
rm -rf /

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal