Clawpulse Bridge
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its ClawPulse status-bridge purpose, but its monitor exposes an unauthenticated internal status endpoint while listening on all interfaces by default.
Review or patch the monitor before installing. If you use it, bind the monitor to localhost or a Tailscale-only/firewalled interface, require authentication for /internal, and treat printed tokens and QR images as secrets.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A network user who can reach the monitor port could view assistant status, work state, token-usage counters, timing data, and the monitor's thought/status text without knowing the configured token.
The monitor listens on all interfaces by default and returns internal state before the bearer-token authorization check, so anyone who can reach the port can access that endpoint without the token.
BIND_HOST = os.environ.get("MONITOR_BIND_HOST", "0.0.0.0")
...
if self.path == "/internal":
with state_lock:
self._json(200, dict(state))
return
...
auth = self.headers.get("Authorization", "")
if APP_TOKEN and auth != f"Bearer {APP_TOKEN}":Require bearer-token authentication before serving /internal, remove or disable that endpoint, and default the monitor to 127.0.0.1 or a Tailscale/firewall-restricted interface.
Anyone who obtains the monitor token can access the token-protected /health or /status endpoints.
The skill generates and prints bearer tokens for app setup, which is expected for this integration but means console output, QR images, and logs containing tokens should be treated as sensitive.
MONITOR_TOKEN=$(python3 - <<'PY' import secrets print(secrets.token_urlsafe(32)) PY ) ... echo "Monitor token: $MONITOR_TOKEN"
Keep generated tokens and QR setup images private, rotate tokens if they are shared, and avoid pasting setup output into public places.
The local status service can keep running, keep ports open, and continue serving status until stopped or killed.
Apply mode restarts and launches a background monitor process. This is purpose-aligned and user-directed, but it persists after the setup command exits.
pkill -f clawpulse-monitor.py >/dev/null 2>&1 || true set -a source "$ENV_FILE" export WORKSPACE MONITOR_BIND_HOST MONITOR_PORT BRIDGE_URL BRIDGE_TOKEN="$STATUS_TOKEN" set +a nohup python3 "$MONITOR_PY" >"$LOG_FILE" 2>&1 &
Provide or use a clear stop/uninstall procedure, verify which ports are listening, and run with localhost/Tailscale-only exposure unless remote access is required.