IPFS Server
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent IPFS administration skill, but it teaches powerful server commands that can publish data, expose a gateway, and keep a node running.
Install this only if you want the agent to help with full IPFS node administration. Before running commands, verify installer sources, avoid publishing private files, keep the API and gateway local unless you intentionally expose them, protect any pinning-service tokens or swarm keys, and stop the daemon when you no longer need it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised or incorrectly sourced installer could affect the local machine because the install command runs with elevated privileges.
The skill documents a user-directed download and privileged installer script. This is purpose-aligned for installing IPFS, but users should verify the binary source before running it with sudo.
curl -O https://dist.ipfs.tech/kubo/v0.24.0/kubo_v0.24.0_darwin-amd64.tar.gz tar -xzf kubo_v0.24.0_darwin-amd64.tar.gz sudo ./kubo/install.sh
Prefer the package manager path when possible, or verify Kubo downloads and checksums/signatures from the official IPFS distribution source before using sudo.
A public gateway may be reachable from other devices or the internet, consuming bandwidth and exposing the gateway service if the host network permits it.
The skill includes commands to bind the IPFS gateway to all interfaces. This is disclosed and aligned with gateway operation, but it can expose a service beyond localhost.
ipfs config Addresses.Gateway /ip4/0.0.0.0/tcp/8080 # Public gateway (be careful!)
Keep the gateway on 127.0.0.1 unless you intentionally want public or LAN access, and use firewall or reverse-proxy controls for any public deployment.
The node may continue using network bandwidth, disk space, and local resources after the immediate task is complete.
The skill starts an IPFS daemon as a background process. This persistence is expected for a server node and the skill also documents stopping it, but users should know it continues running until stopped.
ipfs daemon &> ipfs.log 2>&1 &
Start the daemon only when needed, monitor resource use, and stop it when finished using the documented stop command or a managed service configuration.
Anyone with the JWT may be able to use the associated pinning service permissions, depending on how the token is scoped.
The skill documents optional use of a remote pinning service JWT. This is expected for remote pinning, but it introduces third-party account credentials not declared as required metadata.
ipfs pin remote service add pinata https://api.pinata.cloud/psa YOUR_JWT
Use a narrowly scoped token, avoid sharing it in chat or logs, and revoke or rotate it if exposed.
Publishing or pinning the wrong file or directory can make private or incorrect content available and harder to fully retract once shared.
The skill includes commands to add content and publish an IPNS record. This is central to the skill, but mistakes can make unintended content available through IPFS/IPNS or remote pins.
ipfs add -r ./updated-site/ ipfs name publish --key=my-site QmNewHash
Review paths and hashes before publishing, avoid adding private directories, and use test keys or local-only workflows before updating public IPNS records.