Skill Trust Decision

tunnel-proxy

Name: tunnel-proxy Trust Review Report
Item: tunnel-proxy
Rating: 58
Author: ClawSafe

工具声明与实现基本一致，远程Shell执行功能已声明但需警惕滥用风险，无凭证收割或隐蔽数据外泄

Install decision first Source: ClawHub Scanned: Apr 20, 2026

Files 6

Artifacts 3

Violations 0

Findings 4

Why this conclusion was reached

0/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Review

Hidden execution and egress

3 lower-risk artifacts were extracted and still need context.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

2 dependency or supply-chain issues need attention.

What drove the risk score up

远程Shell执行能力已声明 +-10

SKILL.md明确声明grants remote shell access

PtySession可执行任意命令 +20

agent可通过PTY在用户机器上执行任意Shell命令，无命令白名单

文件传输覆盖全路径 +10

pull_file/push_file可访问用户文件系统任意路径

pip_download允许远程执行 +5

run_remote执行任意命令包括pip install

依赖pexpect版本未锁定 +5

requirements未声明版本锁定

无恶意行为证据 +-10

功能声明完整，无阴影功能、无凭证收割

Most important evidence

Medium RCE

PtySession可执行任意Shell命令

PTYSession.run()方法将任意字符串作为命令通过TCP socket发送到远端执行，无命令白名单或权限控制。agent可执行任意命令包括：数据窃取、持久化植入、横向移动

scripts/pty_exec.py:76

考虑添加命令白名单限制，或要求用户明确审批每次命令执行

Medium Sensitive Access

文件传输无路径限制

pull_file()可下载用户系统任意路径文件，push_file()可上传任意文件到用户系统。攻击者可通过隧道传输敏感文件（如~/.ssh/id_rsa）

scripts/tunnel_ops.py:74

要求TunnelProxy服务端配置doc_root限制访问范围

Low Supply Chain

pexpect依赖无版本锁定

requirements未声明，pip install pexpect无版本控制，存在依赖替换风险

SKILL.md:9

创建requirements.txt锁定requests>=2.28.0 pexpect>=4.8.0

Low Doc Mismatch

默认TunnelProxy地址指向外部服务

HOST默认指向frp.freefrp.net，agent可能连接到非用户拥有的TunnelProxy服务

scripts/tunnel_ops.py:12

要求用户必须显式提供TUNNEL_HOST，不使用默认值

Declared capability vs actual capability

Network Pass

Declared READ

→

Inferred READ

fetch_url方法调用run_remote执行curl

Shell Pass

Declared WRITE

→

Inferred WRITE

run_remote通过PTYSession执行任意命令:tunnel_ops.py:31

Filesystem Pass

Declared READ/WRITE

→

Inferred READ/WRITE

pull_file/push_file通过HTTP传输文件:tunnel_ops.py:74,86

Skill Invoke Pass

Declared NONE

→

Inferred NONE

—

Suspicious artifacts and egress

Medium External URL

https://httpbin.org/ip

README.md:50

Medium External URL

https://arxiv.org/abs/2301.00001

README.md:71

Medium External URL

https://pypi.org⟨/parameter⟩

scripts/pty_exec.py:7

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
requests	`*`	pip	No	无版本锁定
pexpect	`*`	pip	No	无版本锁定

File composition

6 files · 768 lines

Python 3 files · 444 linesMarkdown 3 files · 324 lines

Files of concern · 4

scripts/pty_exec.py Python · 204 lines

PtySession可执行任意Shell命令 · https://pypi.org⟨/parameter⟩

scripts/tunnel_ops.py Python · 134 lines

文件传输无路径限制 · 默认TunnelProxy地址指向外部服务

README.md Markdown · 138 lines

https://httpbin.org/ip · https://arxiv.org/abs/2301.00001

SKILL.md Markdown · 138 lines

pexpect依赖无版本锁定

Other files · http_transfer.py · protocol.md

Security positives

SKILL.md明确声明为高风险工具(grants remote shell access)

所有功能（远程命令执行、文件传输、URL获取）均在文档中声明

无凭证收割代码（不遍历os.environ）

无base64编码或代码混淆

数据流向明确：用户本地TunnelProxy，无第三方数据外泄

代码结构清晰，无阴影功能