← 返回 Skills 市场

Claude Local Bridge

Name: Claude Local Bridge
Author: suhteevah

作者 suhteevah · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

730

总下载

当前安装

版本数

在 OpenClaw 中安装

/install claude-local-bridge

功能描述

Secure MCP bridge enabling Claude on your phone to browse and edit local repos with real-time, human-approved file access and audit logging.

使用说明 (SKILL.md)

Claude Local Bridge

Access your local repos from Claude on your phone. Secure MCP bridge server with approval gating.

What it does

Runs a local MCP server (over SSE) that gives Claude access to your files — but only after you explicitly approve each request from a real-time dashboard.

Tools

browse_files — List workspace file tree (no approval needed)
request_file_access — Request approval to read/write files (blocks until you decide)
read_file — Read an approved file's contents
write_file — Write to an approved file
list_approvals — See all current approvals
revoke_approval — Revoke access
view_audit_log — View access history

Quick Start

git clone https://github.com/suhteevah/claude-local-bridge.git
cd claude-local-bridge
pip install -r requirements.txt
python -m app.main --roots ~/projects

Then connect Claude to http://localhost:9120/mcp/sse

Security

Sandboxed to whitelisted directories only
Extension blocklist (.env, .pem, .key, etc.)
Path traversal prevention
Bearer token auth
Every file access requires human approval
Full audit trail

Remote Access

Use Tailscale (free), Cloudflare Tunnel (free), or NetBird (FOSS) to access from your phone. See tunnel.md.

安全使用建议

This package implements an approval-gated local file bridge, but the implementation relies on 'local-only' assumptions that are fragile when you follow the SKILL.md advice to use tunnels (Tailscale / Cloudflare). Key issues to consider before installing or exposing this: - Unauthenticated endpoints: The WebSocket (/ws/approvals) and the user-facing approval decision endpoints do not enforce the bearer token in the provided code. If the HTTP server or MCP SSE is reachable from the network (e.g., via a tunnel), an attacker could connect, create approval requests, and also call the decision endpoints to grant themselves access. - MCP SSE authentication: The MCP tools are mounted and appear callable without going through FastAPI's bearer-token dependency. That means clients able to hit /mcp/sse may trigger file-access requests. The approval gating only protects access if the approver is truly local and the decision endpoints remain inaccessible remotely. - CORS / origin assumptions: The app sets allow_origins=["*"], which makes browser-based CSRF or cross-origin abuse easier if the service is reachable externally. The dashboard also stores tokens in localStorage which could be abused on a compromised client. Recommended actions to make this safer: - Do not expose the service to the public internet unless you harden it first. Keep it bound to 127.0.0.1 and use an authenticated tunnel that enforces access control. - Add server-side token checks for the WebSocket (validate the token on connect) and require authentication on approval decision endpoints (or restrict them to localhost via middleware). Ensure the MCP SSE layer requires the same bearer token or another authenticated channel. - Narrow CORS to only trusted origins (or remove it if not needed). - Consider per-request CSRF protections for browser-driven actions and avoid storing long-lived secrets in localStorage. - Review requirements.txt and run the code locally in a sandbox before using tunnels; confirm the token printed at startup and the dashboard token match and that all entrypoints validate it. Given these concrete mismatches between claimed protections and the code, treat this skill as suspicious until you or the author apply the hardening steps above or confirm an updated release that enforces auth on all external entry points.

功能分析

Type: OpenClaw Skill Name: claude-local-bridge Version: 0.1.0 The OpenClaw AgentSkills skill bundle is designed with strong security principles like sandboxing, explicit human approval for file access, and bearer token authentication for core file operations. However, it contains a critical vulnerability: the `/ws/approvals` WebSocket endpoint (in `app/routers/ws.py`) is not authenticated, allowing an attacker to bypass the human approval mechanism and approve/deny file access requests if the server is exposed publicly. Additionally, the FastAPI app uses `allow_origins=["*"]` for CORS, which is a vulnerability if deployed publicly without hardening. These flaws, while not indicative of intentional malice, represent significant security risks that could be exploited.

能力评估

ℹ Purpose & Capability

The code and SKILL.md align in purpose: exposing a local, approval-gated file bridge for Claude. Nothing in the code asks for unrelated credentials or unusual system access. However, the SKILL.md claims 'Bearer token auth' as a security control but the registry metadata lists no required credentials or config, and several endpoints do not actually enforce that token—so the stated protections are overstated.

⚠ Instruction Scope

The runtime instructions tell users to expose the service to their phone using tunnels (Tailscale, Cloudflare Tunnel), but core server code exposes several unauthenticated interfaces: the WebSocket dashboard code (ws/approvals) contains no token check, the approval decision endpoints (POST /approvals/{id}/decide and DELETE /approvals/{id}) are implemented as 'user-facing' with no auth dependency, and the MCP SSE mount appears to accept tool calls without HTTP bearer checks. Those behaviours expand the scope beyond the claimed 'token-protected, approval-gated' model and create a risk if the service is reachable remotely.

✓ Install Mechanism

No exotic install mechanism: SKILL.md and README instruct pip install -r requirements.txt and running the Python app. There are no downloads from ad-hoc URLs or packaged scripts in the manifest that would raise additional install risk.

ℹ Credentials

The skill declares no required environment variables or credentials (registry metadata), and BridgeConfig generates a random token by default. That is reasonable, but the SKILL.md claims bearer-token protection—because the token is internal/default and not declared as 'required', users may overlook securing it. The dashboard stores the token in localStorage; the WebSocket client uses a token query parameter while the server does not validate it—this mismatch reduces the effectiveness of the token.

✓ Persistence & Privilege

The skill does not request persistent, always-on inclusion or escalate privileges. It runs as a local server process and keeps state in memory; no system-level changes, no 'always: true' flag, and no cross-skill configuration modifications are present.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install claude-local-bridge
安装完成后，直接呼叫该 Skill 的名称或使用 /claude-local-bridge 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

Initial release

元数据

Slug claude-local-bridge

版本 0.1.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题