one line HTTP static server
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent for starting a local static web server, but users should be careful about which folder is served, whether it is exposed to the network, and any optional package installs.
Before installing or using this skill, remember that it helps an agent start a web server for local files. Confirm the folder, port, and bind address first; use localhost for private previews; avoid serving folders with secrets; and be cautious with optional commands that install or run third-party packages.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent starts the server in the wrong folder, files in that folder may become accessible through the local web server.
The skill is designed to start a local HTTP server over a selected directory. Serving local files is purpose-aligned, and the skill includes confirmation guidance, but the directory and port materially affect what becomes reachable.
Always confirm the desired **port** (default 8000) and **directory** (default `.`).
Confirm the directory and port before running a server command, and prefer a non-sensitive test folder.
Binding to 0.0.0.0 can expose the served files beyond the local machine, depending on firewall and network settings.
Some documented commands bind to all network interfaces, which can make the served directory reachable from other devices on the network. This is disclosed and fits the LAN-sharing use case, but users should choose it intentionally.
jwebserver -d . -b 0.0.0.0 -p 8000
Use localhost or 127.0.0.1 for private previewing, and only bind to 0.0.0.0 when you intentionally want LAN access.
Using remote packages or container images may execute code from package registries or image repositories you have not separately reviewed.
The references include optional commands that fetch or run third-party packages using latest/default versions. This is common for a multi-tool static-server reference, but it relies on external package sources.
go run github.com/goware/webify@latest -port 8000 .
Prefer built-in options such as Python's http.server when available, or use trusted and pinned package versions/images for repeatable workflows.
A background server may keep serving files until it is stopped.
The documentation includes an explicit optional background server mode. It is not hidden and is aligned with static serving, but it can continue running after the immediate task.
Run in background (daemonize): ```bash busybox httpd -p 8000 ```
Prefer foreground commands for temporary previews, or make sure you know how to stop any daemonized or detached server.