tailscale
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Data Exposure & Exfiltration] (MEDIUM): The script
scripts/ts-api.shaccesses a sensitive credential file at~/.clawdbot/credentials/tailscale/config.jsonto retrieve theapiKey. This key is then transmitted viacurltoapi.tailscale.com. While this is the intended function of a management skill, the exposure of high-privilege keys to an AI agent poses a risk of accidental or malicious disclosure. - [Command Execution] (MEDIUM): The skill enables high-risk network operations via the
tailscaleCLI, includingtailscale funnel(exposing local ports to the public internet) andtailscale up --ssh(enabling remote shell access). These capabilities could be leveraged to bypass local firewall protections or establish unauthorized persistence. - [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from the Tailscale network environment which could potentially contain malicious instructions.
- Ingestion points:
scripts/ts-api.shretrieves device lists, hostnames, and ACL policies from the Tailscale API. - Boundary markers: None. Data is parsed via
jqand returned as raw or structured text to the agent context. - Capability inventory: The skill can create reusable auth keys, delete devices, and expose services to the internet.
- Sanitization: No sanitization or validation is performed on hostnames or device tags retrieved from the API, allowing for potential injection if an attacker can name a device in the tailnet.
Audit Metadata