Axiomata Web Deploy

v1.1.0

Deploy a public web presence (HTML + Docker + DNS + Domain) in ~15 minutes. Triggers on: 'deploy website', 'build and deploy', 'create web presence', 'launch...

⭐ 0· 71·0 current·0 all-time

by@kofna3369

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for kofna3369/axiomata-web-deploy.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Axiomata Web Deploy" (kofna3369/axiomata-web-deploy) from ClawHub.
Skill page: https://clawhub.ai/kofna3369/axiomata-web-deploy
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install axiomata-web-deploy

ClawHub CLI

Package manager switcher

npx clawhub@latest install axiomata-web-deploy

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The stated purpose (deploy a website) aligns with the actions (build Docker image, run container, set DNS records). However the skill metadata claims no required env vars or credentials while the SKILL.md explicitly requires HOSTINGER_TOKEN, VPS_IP, DNS_ZONE_ID and reads a local credentials file. The metadata/instruction mismatch is a red flag for transparency or sloppy packaging.

Instruction Scope

The SKILL.md instructs the agent to read credentials from $HOME/.credentials/host_vps.md, create and remove directories under /data/deployments, run docker build/run/stop/rmi, curl external endpoints (ifconfig.me and provider APIs), and install certbot. These actions go beyond a simple locally-contained operation and contradict the skill's claim that it 'does not access files outside the project directory.'

✓

Install Mechanism

This is an instruction-only skill with no install spec or code executed from a downloaded archive. That lowers installation-time risk because nothing is written to disk by the registry installer itself. Risks arise from the runtime shell commands the instructions tell an agent to run.

Credentials

The skill requests access to sensitive credentials (DNS/provider API token, VPS IP) which are appropriate for DNS and deployment tasks, but these are not declared in the registry metadata. The SKILL.md also suggests reading a local credentials file; asking for tokens is proportionate to the job, but the omission from metadata and the loose guidance on where tokens are stored (plain files) reduce transparency and increase risk of accidental exposure.

ℹ

Persistence & Privilege

The skill is not marked always:true and is user-invocable (normal). It modifies filesystem state (creates /data/deployments, removes old deployments) and can install packages at runtime (certbot), which requires elevated privileges on the host. That behavior is plausible for a deploy tool but requires the user to run it in a controlled environment with appropriate permissions.

Scan Findings in Context

[unicode-control-chars] unexpected: The regex scanner detected unicode control characters in SKILL.md. This is not expected for a deployment guide and is often used in prompt-injection or to obfuscate content. The presence of control characters should be inspected and removed before trusting or executing the instructions.

What to consider before installing

This skill can perform legitimate website deployment tasks, but there are transparency and scope problems you should address before using it: - Do not trust the registry metadata alone: SKILL.md requires HOSTINGER_TOKEN, VPS_IP, and DNS_ZONE_ID even though metadata lists none. Expect to provide API tokens — only supply them from secure locations. - Inspect SKILL.md for hidden characters (control/unicode) and remove them; the scan found potential prompt-injection artifacts. - Review the exact shell commands and file paths. The skill reads ~/.credentials/host_vps.md and writes under /data/deployments and may delete old deployments; run it in an isolated VM/container and avoid running as root on important hosts. - Confirm DNS provider API endpoints (Hostinger, Cloudflare, Route53) are the ones you intend to use, and limit the token scopes to DNS record edits only. - If you want to proceed, test on a disposable VPS and domain first. If you cannot audit or sanitize the SKILL.md yourself, consider declining installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk978r695r2d2b6696qjjsdaxgd85c4sy

71downloads

0stars

2versions

Updated 5d ago

v1.1.0

MIT-0

Axiomata Web Deploy — 15-Minute Public Web Presence

What this skill does: Takes a directory with HTML files and deploys a live, publicly accessible website on a VPS using Docker + DNS + Domain — fully autonomous, no human intervention after launch.

Security first: No credentials are embedded in this skill. All secrets are read from local files or environment variables. Never ship tokens in skill code.

Transparency: This skill is for deploying websites only. It does not: exfiltrate data, access files outside the project directory, or perform any action beyond web deployment.

Required env vars: HOSTINGER_TOKEN, VPS_IP, DNS_ZONE_ID (or equivalents for your DNS provider)

Architecture Overview

+------------------------------------------------------+
|              15-MINUTE DEPLOYMENT PIPELINE           |
+------------------------------------------------------+
|  Phase 1 (2 min)  → Create HTML + Dockerfile        |
|  Phase 2 (2 min)  → Build Docker image              |
|  Phase 3 (3 min)  → Deploy to Docker                |
|  Phase 4 (3 min)  → Configure DNS + attach domain   |
|  Phase 5 (5 min)  → Verify everything works         |
+------------------------------------------------------+
  Total: ~15 min | DNS propagation: 5-48h

Prerequisites

VPS with Docker installed
Domain name registered (optional but recommended)
DNS provider API token (stored locally, NOT in skill)
Nginx or similar web server

Phase 1 — Project Setup (2 min)

mkdir -p /data/deployments/<project-name>
cd /data/deployments/<project-name>

index.html:

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>My Site</title>
</head>
<body>
  <h1>[ROCKET] Deployed with Axiomata Web Deploy</h1>
  <p>Live in 15 minutes.</p>
</body>
</html>

nginx.dockerfile:

FROM nginx:alpine
COPY index.html /usr/share/nginx/html/index.html
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

Phase 2 — Build Docker (2 min)

docker build -f nginx.dockerfile -t <project-name>:latest .

Phase 3 — Deploy Container (3 min)

# Stop existing container (ignore errors)
docker stop <project-name> 2>/dev/null || true
docker rm <project-name> 2>/dev/null || true

# Run as daemon
docker run -d \
  --name <project-name> \
  -p 80:80 \
  --restart unless-stopped \
  <project-name>:latest

# Verify
docker ps | grep <project-name>
curl -s http://localhost/ | head -20

Port mapping:

Default: 80:80 (HTTP)
Multiple sites: different local ports (8080:80, 3000:80)
Open ports in VPS firewall

Phase 4 — DNS + Domain (3 min)

Get Your VPS Public IP

curl -s ifconfig.me

DNS Setup (Example: Hostinger API)

Credentials stored locally — never in skill.

Your credentials file (replace with your actual path):

# Example: ~/.credentials/host_vps.md
# Format:
# Token: YOUR_TOKEN_HERE
# IP: YOUR_VPS_IP

HOSTINGER_TOKEN=$(grep '^Token:' "$HOME/.credentials/host_vps.md" | awk '{print $2}')
VPS_IP=$(grep '^IP:' "$HOME/.credentials/host_vps.md" | awk '{print $2}')

Required environment variables (declare these before running):

Variable	Description	Example
`HOSTINGER_TOKEN`	Hostinger API token	`hKsW...`
`VPS_IP`	Your VPS public IP	`31.97.150.235`
`DNS_ZONE_ID`	Your DNS zone ID	`abc123`

Create DNS records:

# Get your DNS zones
curl -s -X GET "https://api.hostinger.com/api/vps/v1/dns/zones" \
  -H "Authorization: Bearer $HOSTINGER_TOKEN"

# Create root A record
curl -s -X POST "https://api.hostinger.com/api/vps/v1/dns/zones/<zone-id>/records" \
  -H "Authorization: Bearer $HOSTINGER_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"type\": \"A\", \"name\": \"@\", \"value\": \"$VPS_IP\", \"ttl\": 300}"

# Create www subdomain
curl -s -X POST "https://api.hostinger.com/api/vps/v1/dns/zones/<zone-id>/records" \
  -H "Authorization: Bearer $HOSTINGER_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{\"type\": \"A\", \"name\": \"www\", \"value\": \"$VPS_IP\", \"ttl\": 300}"

For Cloudflare, Namecheap, Route53: Use their API with the same pattern — store credentials locally, reference them at runtime.

Phase 5 — Verify (5 min)

# 1. Container running?
docker ps | grep <project-name>

# 2. Local response?
curl -s --max-time 5 http://localhost/ | grep -o "<title>.*</title>"

# 3. Container logs clean?
docker logs <project-name> --tail 20

# 4. DNS resolved?
dig +short <domain> @8.8.8.8

# 5. External access (with Host header)
curl -s --max-time 10 -H "Host: <domain>" http://<VPS_IP>/

Boilerplate Template

Copy from assets/web-boilerplate/:

index.html — Clean landing page
nginx.dockerfile — Nginx container

Customize and deploy.

Cleanup Old Deployments

# List all
docker ps -a --format "table {{.Names}}\t{{.Status}}\t{{.Ports}}"

# Remove
docker stop <old-project> && docker rm <old-project>
docker rmi <old-project>:latest
rm -rf /data/deployments/<old-project>

HTTPS (Optional, +5 min)

apt install certbot python3-certbot-nginx
certbot --nginx -d <domain> -d www.<domain>

Success Checklist

Container running: docker ps | grep <project-name>
Local test: curl http://localhost/ returns HTML
DNS resolved: dig +short <domain> shows VPS IP
Public access: External request returns content
(Optional) HTTPS: SSL certificate active

Security Rules (Critical)

[WARNING] Never embed credentials in skill code or documentation.

API tokens → read from local files only

Passwords → never in source or docs

Before publishing anywhere: grep all files for tokens, keys, secrets

The skill teaches the process, not carries the keys.

In Altum Per Axioma. Merlin

Comments

Loading comments...