← Back to Skills Marketplace
730
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install claude-local-bridge
Description
Secure MCP bridge enabling Claude on your phone to browse and edit local repos with real-time, human-approved file access and audit logging.
README (SKILL.md)
Claude Local Bridge
Access your local repos from Claude on your phone. Secure MCP bridge server with approval gating.
What it does
Runs a local MCP server (over SSE) that gives Claude access to your files — but only after you explicitly approve each request from a real-time dashboard.
Tools
- browse_files — List workspace file tree (no approval needed)
- request_file_access — Request approval to read/write files (blocks until you decide)
- read_file — Read an approved file's contents
- write_file — Write to an approved file
- list_approvals — See all current approvals
- revoke_approval — Revoke access
- view_audit_log — View access history
Quick Start
git clone https://github.com/suhteevah/claude-local-bridge.git
cd claude-local-bridge
pip install -r requirements.txt
python -m app.main --roots ~/projects
Then connect Claude to http://localhost:9120/mcp/sse
Security
- Sandboxed to whitelisted directories only
- Extension blocklist (.env, .pem, .key, etc.)
- Path traversal prevention
- Bearer token auth
- Every file access requires human approval
- Full audit trail
Remote Access
Use Tailscale (free), Cloudflare Tunnel (free), or NetBird (FOSS) to access from your phone. See tunnel.md.
Usage Guidance
This package implements an approval-gated local file bridge, but the implementation relies on 'local-only' assumptions that are fragile when you follow the SKILL.md advice to use tunnels (Tailscale / Cloudflare). Key issues to consider before installing or exposing this:
- Unauthenticated endpoints: The WebSocket (/ws/approvals) and the user-facing approval decision endpoints do not enforce the bearer token in the provided code. If the HTTP server or MCP SSE is reachable from the network (e.g., via a tunnel), an attacker could connect, create approval requests, and also call the decision endpoints to grant themselves access.
- MCP SSE authentication: The MCP tools are mounted and appear callable without going through FastAPI's bearer-token dependency. That means clients able to hit /mcp/sse may trigger file-access requests. The approval gating only protects access if the approver is truly local and the decision endpoints remain inaccessible remotely.
- CORS / origin assumptions: The app sets allow_origins=["*"], which makes browser-based CSRF or cross-origin abuse easier if the service is reachable externally. The dashboard also stores tokens in localStorage which could be abused on a compromised client.
Recommended actions to make this safer:
- Do not expose the service to the public internet unless you harden it first. Keep it bound to 127.0.0.1 and use an authenticated tunnel that enforces access control.
- Add server-side token checks for the WebSocket (validate the token on connect) and require authentication on approval decision endpoints (or restrict them to localhost via middleware). Ensure the MCP SSE layer requires the same bearer token or another authenticated channel.
- Narrow CORS to only trusted origins (or remove it if not needed).
- Consider per-request CSRF protections for browser-driven actions and avoid storing long-lived secrets in localStorage.
- Review requirements.txt and run the code locally in a sandbox before using tunnels; confirm the token printed at startup and the dashboard token match and that all entrypoints validate it.
Given these concrete mismatches between claimed protections and the code, treat this skill as suspicious until you or the author apply the hardening steps above or confirm an updated release that enforces auth on all external entry points.
Capability Analysis
Type: OpenClaw Skill
Name: claude-local-bridge
Version: 0.1.0
The OpenClaw AgentSkills skill bundle is designed with strong security principles like sandboxing, explicit human approval for file access, and bearer token authentication for core file operations. However, it contains a critical vulnerability: the `/ws/approvals` WebSocket endpoint (in `app/routers/ws.py`) is not authenticated, allowing an attacker to bypass the human approval mechanism and approve/deny file access requests if the server is exposed publicly. Additionally, the FastAPI app uses `allow_origins=["*"]` for CORS, which is a vulnerability if deployed publicly without hardening. These flaws, while not indicative of intentional malice, represent significant security risks that could be exploited.
Capability Assessment
Purpose & Capability
The code and SKILL.md align in purpose: exposing a local, approval-gated file bridge for Claude. Nothing in the code asks for unrelated credentials or unusual system access. However, the SKILL.md claims 'Bearer token auth' as a security control but the registry metadata lists no required credentials or config, and several endpoints do not actually enforce that token—so the stated protections are overstated.
Instruction Scope
The runtime instructions tell users to expose the service to their phone using tunnels (Tailscale, Cloudflare Tunnel), but core server code exposes several unauthenticated interfaces: the WebSocket dashboard code (ws/approvals) contains no token check, the approval decision endpoints (POST /approvals/{id}/decide and DELETE /approvals/{id}) are implemented as 'user-facing' with no auth dependency, and the MCP SSE mount appears to accept tool calls without HTTP bearer checks. Those behaviours expand the scope beyond the claimed 'token-protected, approval-gated' model and create a risk if the service is reachable remotely.
Install Mechanism
No exotic install mechanism: SKILL.md and README instruct pip install -r requirements.txt and running the Python app. There are no downloads from ad-hoc URLs or packaged scripts in the manifest that would raise additional install risk.
Credentials
The skill declares no required environment variables or credentials (registry metadata), and BridgeConfig generates a random token by default. That is reasonable, but the SKILL.md claims bearer-token protection—because the token is internal/default and not declared as 'required', users may overlook securing it. The dashboard stores the token in localStorage; the WebSocket client uses a token query parameter while the server does not validate it—this mismatch reduces the effectiveness of the token.
Persistence & Privilege
The skill does not request persistent, always-on inclusion or escalate privileges. It runs as a local server process and keeps state in memory; no system-level changes, no 'always: true' flag, and no cross-skill configuration modifications are present.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install claude-local-bridge - After installation, invoke the skill by name or use
/claude-local-bridge - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release
Metadata
Frequently Asked Questions
What is Claude Local Bridge?
Secure MCP bridge enabling Claude on your phone to browse and edit local repos with real-time, human-approved file access and audit logging. It is an AI Agent Skill for Claude Code / OpenClaw, with 730 downloads so far.
How do I install Claude Local Bridge?
Run "/install claude-local-bridge" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Claude Local Bridge free?
Yes, Claude Local Bridge is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Claude Local Bridge support?
Claude Local Bridge is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Claude Local Bridge?
It is built and maintained by suhteevah (@suhteevah); the current version is v0.1.0.
More Skills