ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ngrok Preview

v1.0.2

Generate short-lived, mobile-friendly ngrok preview links for local artifacts and share them in Telegram. Use when OpenClaw produces images/charts/generated...

0· 549·0 current·0 all-time
byYong@wynnsu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script and SKILL.md: the script packages task artifacts, starts an ngrok tunnel, and exposes a temporary preview. The README mentions Telegram only as the delivery channel; the skill does not require Telegram credentials (it expects the agent or user to share the link) which is reasonable.
Instruction Scope
SKILL.md keeps scope narrow (collect task artifacts, create a session, publish link, clean up). The script follows that: it copies only the explicitly passed --source paths and serves them. However, the script will copy arbitrary filesystem paths you pass (absolute or relative), so a careless invocation could expose sensitive files. SKILL.md warns not to publish broad directories, but the mechanism does allow copying anything the agent/user specifies.
Install Mechanism
No install spec; instructions require a user-installed ngrok binary (official site) and optionally an auth token. Nothing is downloaded or executed from unknown remote URLs by the skill itself.
Credentials
No required environment variables are declared. The script optionally reads NGROK_AUTHTOKEN (or accepts --auth-token) which is appropriate for using ngrok. No other secrets or unrelated credentials are requested.
Persistence & Privilege
The skill writes session state and copied artifacts under ~/.cache/openclaw-ngrok-preview (per-session dirs stored until cleaned). always:false and no privileged flags are set. Users should be aware that copied artifacts persist until 'down' or 'cleanup' is run and that stale sessions can retain files.
Assessment
This skill appears to do what it says: create short-lived ngrok previews of files you explicitly provide. Before installing/using it: 1) Install ngrok from the official site and provide NGROK_AUTHTOKEN securely if you want authenticated tunnels. 2) Only pass specific artifact paths (not broad or system dirs) — the script will copy whatever paths you give into ~/.cache/openclaw-ngrok-preview, so do not include secrets (SSH keys, config dirs, root of workspace). 3) Run the provided cleanup/down commands after the preview is no longer needed to remove local copies. 4) Verify the preview URL before sharing (it exposes files over the internet). If you want automated Telegram posting, note the skill does not contain Telegram integration or request a Telegram token — sharing must be done by the agent/user via their existing channel.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bb737hrhwat7ekhdkg1a8fh81nkqbngrokvk97bb737hrhwat7ekhdkg1a8fh81nkqbpreviewvk97bb737hrhwat7ekhdkg1a8fh81nkqbtelegramvk97bb737hrhwat7ekhdkg1a8fh81nkqb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments