Is tailscale safe?

https://clawhub.ai/jmagar/tailscale

72
CAUTION

This is a legitimate Tailscale management skill with well-written shell code and no malicious intent. However, it exposes extremely powerful infrastructure operations (auth key creation, device deletion, ACL modification, public internet funneling, file transfer) through an LLM agent without built-in confirmation gates or permission scoping. The primary risk is not malicious code but the breadth of destructive and sensitive operations the agent can perform with a single API key.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (10)

HIGH Tailnet auth key creation enables unauthorized device join -20

The skill exposes 'create-key --reusable' which generates auth keys that can be used to join arbitrary devices to the user's tailnet. If an attacker can observe or influence agent output, they could obtain a reusable key and add their own device to the private network.

HIGH ACL modification can grant unauthorized network access -15

The skill exposes ACL management endpoints. An attacker who can influence agent behavior could modify access control policies to grant themselves broader network access or disable security restrictions.

HIGH Taildrop file transfer enables data exfiltration to tailnet devices -25

The 'tailscale file cp' command can send arbitrary files to any device on the tailnet. If an attacker has a device on the tailnet (via auth key creation or pre-existing access), they can instruct the agent to send sensitive files.

MEDIUM Broad API key permissions for tailnet management -20

The Tailscale API key stored in credentials grants full tailnet management access including device deletion, key creation, DNS changes, and ACL modification. The skill does not implement any permission scoping or confirmation prompts for destructive operations.

MEDIUM Public internet exposure via tailscale funnel -20

The 'tailscale funnel' command exposes local services to the public internet. An agent executing this without user confirmation could inadvertently expose internal services, development databases, or admin panels.

MEDIUM Device deletion capability enables denial of service -15

The skill exposes device deletion via the API. Malicious or mistaken agent actions could remove legitimate devices from the tailnet, disrupting network connectivity.

MEDIUM SSH enablement changes machine security posture -10

The skill includes 'tailscale up --ssh' which enables the Tailscale SSH server on the machine, potentially opening a new remote access vector that wasn't previously available.

LOW Broad activation trigger in skill description -10

The skill description triggers on any mention of 'Tailscale network management', which could cause unintended skill activation on tangentially related queries.

INFO Shell script follows security best practices 0

ts-api.sh uses 'set -euo pipefail', proper jq --arg parameterization for user input, and does not use eval or unquoted variable expansion. No command injection vectors found in the script itself.

INFO Clean installation with no suspicious activity 0

No network connections, no process spawning, no filesystem changes outside expected paths during installation.