frp-tunnel Security Report — Low Risk | ClawSafe

10 /100

frp-tunnel

Share local development servers via self-hosted frp tunnel with custom domains and auto HTTPS

This is a legitimate self-hosted tunnel (frp + Caddy) skill with documented VPS infrastructure configuration. The hardcoded IP is the user's own VPS, not a C2 server. No malicious behavior, credential theft, or hidden functionality detected.

Skill Namefrp-tunnel

Duration38.1s

Enginepi

✓

Safe to install

No action required. This is a valid infrastructure tool for sharing local dev servers via self-hosted tunnel.

Findings 1 items

Severity	Finding	Location
Low	SSH key access to VPS Sensitive Access The skill creates and uses SSH keys (~/.ssh/frp-vps) for VPS access. The key is generated without passphrase for automation convenience. `ssh-keygen -t ed25519 -f ~/.ssh/frp-vps -N ""` → Document that passphrase-less keys are for automation only and should be protected at rest.	`setup-guide.md:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Creates /etc/frp/, /etc/caddy/, ~/.frp/ configs
Network	`READ`	`READ`	✓ Aligned	Downloads from caddyserver.com/api/download, curl to tunnel.fud.city
Shell	`WRITE`	`WRITE`	✓ Aligned	ssh, systemctl, tmux, wget, curl all for tunnel management
Environment	`READ`	`READ`	✓ Aligned	Accesses CF_API_TOKEN for Cloudflare DNS challenge
Skill Invoke	`NONE`	`NONE`	—	No inter-skill invocation

1 High 14 findings

📡

High IP Address 硬编码 IP 地址

5.223.75.160

SKILL.md:18

🔗

Medium External URL 外部 URL

http://5.223.75.160:7500

SKILL.md:34

🔗

Medium External URL 外部 URL

https://news.tunnel.fud.city

SKILL.md:44

🔗

Medium External URL 外部 URL

https://oldweb.tunnel.fud.city

SKILL.md:45

🔗

Medium External URL 外部 URL

https://api.tunnel.fud.city

SKILL.md:46

🔗

Medium External URL 外部 URL

https://terminal.tunnel.fud.city

SKILL.md:47

🔗

Medium External URL 外部 URL

https://terminal-api.tunnel.fud.city

SKILL.md:48

🔗

Medium External URL 外部 URL

https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare

SKILL.md:78

🔗

Medium External URL 外部 URL

http://xxx/.well-known/acme-challenge/

SKILL.md:108

🔗

Medium External URL 外部 URL

https://new.tunnel.fud.city

SKILL.md:186

🔗

Medium External URL 外部 URL

https://xxx.tunnel.fud.city

SKILL.md:238

🔗

Medium External URL 外部 URL

https://www.hetzner.com/cloud/

setup-guide.md:20

🔗

Medium External URL 外部 URL

https://caddyserver.com/api/download?os=linux&arch=$

setup-guide.md:205

🔗

Medium External URL 外部 URL

https://app.tunnel.your-domain.com

setup-guide.md:337

File Tree

2 files · 16.0 KB · 653 lines

Markdown 2f · 653L

├─ 📝 setup-guide.md Markdown 361L · 7.8 KB

└─ 📝 SKILL.md Markdown 292L · 8.2 KB

Security Positives

✓ Documentation is thorough and clearly describes all operations

✓ All network requests go to legitimate sources (caddyserver.com, github.com, Cloudflare)

✓ SSH access is to user's own VPS (5.223.75.160), not external C2

✓ Credentials stored in standard locations (~/.ssh/, environment variables)

✓ No base64 obfuscation or suspicious encoded commands

✓ No data exfiltration or credential harvesting beyond documented config

✓ Binary downloads are from official vendor endpoints

Scan Report

Findings 1 items

File Tree

Security Positives