Server
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied as-is in the wrong environment, this could expose Traefik administrative or routing information to other reachable services or users.
The Traefik example enables the unauthenticated API/dashboard. It is explicit and related to reverse-proxy setup, but can be unsafe if reused in a reachable production environment.
- "--api.insecure=true"
Remove `--api.insecure=true` for production, or expose the dashboard only behind authentication and trusted network controls.
A compromised or misconfigured container with Docker socket access may reveal container metadata or increase impact on the host environment.
Mounting the Docker socket lets Traefik inspect Docker state for service discovery. This is a common Traefik pattern, but it expands the container's visibility and privilege boundary.
- /var/run/docker.sock:/var/run/docker.sock:ro
Use the Docker socket only when needed, keep Traefik tightly controlled, consider a restricted Docker socket proxy, and avoid exposing the Traefik dashboard/API.
Services created from these examples may keep running after the immediate task and may restart automatically.
The instructions show enabling and starting a systemd service so it persists across reboots. That is expected for server deployment and is disclosed, but it changes long-running host state.
After creating: `systemctl daemon-reload && systemctl enable myapp && systemctl start myapp`
Confirm service names, users, working directories, and restart policies before enabling services, and document how to stop or disable them.