tailscale
Facilitates secure remote access and service sharing using Tailscale VPN, enabling seamless connectivity and file transfer.
Install this skill
Security score
The tailscale skill was audited on Feb 22, 2026 and we found 30 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 80 | console.log(`Shared at: https://${tailscale.hostname}:3000`); |
Template literal with variable interpolation in command context
| 101 | console.log(`Port ${serve.port} → ${serve.url}`); |
Template literal with variable interpolation in command context
| 114 | console.log(`Public URL: https://${tailscale.hostname}.ts.net`); |
Template literal with variable interpolation in command context
| 128 | console.log(`Port ${funnel.port} → ${funnel.publicUrl}`); |
Template literal with variable interpolation in command context
| 138 | console.log(`Hostname: ${status.hostname}`); |
Template literal with variable interpolation in command context
| 139 | console.log(`IP: ${status.ip}`); |
Template literal with variable interpolation in command context
| 140 | console.log(`Tailnet: ${status.tailnet}`); |
Template literal with variable interpolation in command context
| 141 | console.log(`Online: ${status.online}`); |
Template literal with variable interpolation in command context
| 146 | console.log(`${peer.hostname} (${peer.ip})`); |
Template literal with variable interpolation in command context
| 147 | console.log(` OS: ${peer.os}`); |
Template literal with variable interpolation in command context
| 148 | console.log(` Online: ${peer.online}`); |
Template literal with variable interpolation in command context
| 149 | console.log(` Last seen: ${peer.lastSeen}`); |
Template literal with variable interpolation in command context
| 154 | console.log(`Latency: ${ping.latencyMs}ms`); |
Template literal with variable interpolation in command context
| 172 | console.log(`Received: ${received.filename}`); |
Template literal with variable interpolation in command context
| 173 | console.log(`From: ${received.sender}`); |
Template literal with variable interpolation in command context
| 174 | console.log(`Size: ${received.size} bytes`); |
Template literal with variable interpolation in command context
| 181 | console.log(`Tailscale IP: ${ip}`); // 100.x.x.x |
Webhook reference - potential data exfiltration
| 217 | ### Expose Webhook Endpoint |
Webhook reference - potential data exfiltration
| 220 | // Make webhook publicly accessible |
Webhook reference - potential data exfiltration
| 221 | await tailscale.funnel({ port: 3000, path: '/webhooks' }); |
Webhook reference - potential data exfiltration
| 222 | // External services can POST to https://your-machine.ts.net/webhooks |
Access to .env file
| 64 | authKey: process.env.TAILSCALE_AUTHKEY, |
External URL reference
| 80 | console.log(`Shared at: https://${tailscale.hostname}:3000`); |
External URL reference
| 114 | console.log(`Public URL: https://${tailscale.hostname}.ts.net`); |
External URL reference
| 201 | | **Serve** | `https://machine.tailnet-name.ts.net:port` | |
External URL reference
| 202 | | **Funnel** | `https://machine.ts.net` | |
External URL reference
| 203 | | **Custom domain** | `https://your-domain.com` | |
External URL reference
| 214 | // Team can access at https://your-machine.tailnet.ts.net:3000 |
External URL reference
| 222 | // External services can POST to https://your-machine.ts.net/webhooks |
External URL reference
| 230 | // Open https://your-machine.tailnet.ts.net:18789/webchat on phone |