Server
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only server administration skill matches its stated purpose, but users should review its examples because they can create persistent services, use privileged Docker access, and include an insecure Traefik API option.
Use this skill only on servers or local environments you intend to administer. Review commands before running them, remove or secure Traefik's insecure API setting, replace placeholder passwords, and be careful before enabling persistent services or removing Docker volumes.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied as-is in the wrong environment, this could expose Traefik administrative or routing information to other reachable services or users.
The Traefik example enables the unauthenticated API/dashboard. It is explicit and related to reverse-proxy setup, but can be unsafe if reused in a reachable production environment.
- "--api.insecure=true"
Remove `--api.insecure=true` for production, or expose the dashboard only behind authentication and trusted network controls.
A compromised or misconfigured container with Docker socket access may reveal container metadata or increase impact on the host environment.
Mounting the Docker socket lets Traefik inspect Docker state for service discovery. This is a common Traefik pattern, but it expands the container's visibility and privilege boundary.
- /var/run/docker.sock:/var/run/docker.sock:ro
Use the Docker socket only when needed, keep Traefik tightly controlled, consider a restricted Docker socket proxy, and avoid exposing the Traefik dashboard/API.
Services created from these examples may keep running after the immediate task and may restart automatically.
The instructions show enabling and starting a systemd service so it persists across reboots. That is expected for server deployment and is disclosed, but it changes long-running host state.
After creating: `systemctl daemon-reload && systemctl enable myapp && systemctl start myapp`
Confirm service names, users, working directories, and restart policies before enabling services, and document how to stop or disable them.