by Mohit-Patil
Control Codex from your phone
# Add to your Claude Code skills
git clone https://github.com/Mohit-Patil/clawdex-mobileGuides for using cli tools skills like clawdex-mobile.
Last scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@connectrpc/connect-node: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@cursor/sdk: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@expo/cli: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@expo/config: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@expo/config-plugins: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@expo/local-build-cache-provider: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@expo/metro-config: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@expo/prebuild-config: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@tootallnate/once: @tootallnate/once vulnerable to Incorrect Control Flow Scoping",
"severity": "low"
},
{
"type": "npm-audit",
"message": "@xmldom/xmldom: xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "cacache: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "expo: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "expo-constants: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fastify: fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections",
"severity": "high"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "http-proxy-agent: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "jest-expo: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "lodash: lodash vulnerable to Code Injection via `_.template` imports key names",
"severity": "high"
},
{
"type": "npm-audit",
"message": "make-fetch-happen: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "markdown-it: Uncontrolled Resource Consumption in markdown-it",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "node-forge: Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)",
"severity": "high"
},
{
"type": "npm-audit",
"message": "node-gyp: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "react-native-markdown-display: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "sqlite3: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "undici: Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "uuid: uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ws: ws: Uninitialized memory disclosure",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "xcode: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
}
],
"status": "WARNING",
"scannedAt": "2026-05-30T16:38:33.705Z",
"npmAuditRan": true,
"pipAuditRan": true
}No comments yet. Be the first to share your thoughts!
Top skills in this category by stars
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
Run Codex or OpenCode from your phone. clawdex-mobile ships the bridge CLI plus bundled Rust bridge binaries for supported hosts, and the mobile app pairs to that bridge over Tailscale or local LAN.
This project is for trusted/private networking by default. Keep the bridge on a private network, leave bridge auth enabled, and do not expose it directly to the public internet.
Before you start:
gitcodex in PATH for the default Codex flowopencode in PATH if you want the OpenCode flowclawdex-mobile for the Cursor SDK flowInstall the mobile app:
Install the CLI and start the bridge:
npm install -g clawdex-mobile@latest
clawdex init
Then open the mobile app and connect using the printed bridge URL/token or pairing QR.
clawdex init now writes config, starts the bridge in the background, and returns you to the shell. Bridge logs go to .bridge.log.
The npm package is bridge-only. It does not install Expo or the mobile source tree. On supported macOS, Linux, and Windows hosts it uses bundled bridge binaries, so normal startup does not compile Rust. The current interactive setup helpers are still macOS/Linux-oriented.
Typical operator flow:
npm install -g clawdex-mobile@latest
clawdex init
clawdex stop
OpenCode and Cursor can run beside Codex from the same bridge.
npm install -g opencode-ai
npm install -g clawdex-mobile@latest
clawdex init --engines codex,opencode,cursor
That writes BRIDGE_ENABLED_ENGINES=codex,opencode,cursor to .env.secure, so the mobile app can control the selected harnesses from one bridge. When Cursor is selected, clawdex init uses the bundled cursor-app-server, asks for a Cursor account API key from Cursor Dashboard > Integrations > User API Keys, and saves it in .env.secure. Cursor documents this under CLI authentication: https://docs.cursor.com/en/cli/reference/authentication
Notes:
clawdex init without flags now lets you multi-select harnesses in the wizard with Space, then Enter to continue.clawdex init --engine codex, clawdex init --engine opencode, or clawdex init --engine cursor if you want a single-harness setup.CURSOR_API_KEY before running setup. This should be a Cursor account API key for the Cursor agent/SDK, not an OpenAI, Anthropic, or other provider key configured inside the Cursor editor. CURSOR_MODEL is optional; the app model picker sends the model for normal chats.If you are working from source:
npm install
npm run setup:wizard
npm run mobile
For one-step restarts that switch the bridge network mode, reuse the existing token, start the bridge in the background, and then launch Expo:
npm run stack:lan
npm run stack:tailscale
stack:lan is the local network path, so it also covers the same-device LAN/VLAN case.
For an OpenCode-first repo checkout:
npm run setup:wizard -- --engine opencode
Use npm run setup:wizard -- --no-start if you only want to write config.
clawdex init [--engine codex|opencode|cursor] [--engines codex,opencode,cursor] [--no-start]clawdex stopclawdex upgrade / clawdex updateclawdex versionnpm run setup:wizardnpm run secure:bridgenpm run mobilenpm run stack:lannpm run stack:tailscalenpm run iosnpm run androidnpm run stop:servicesnpm run teardown