ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

initial-traefik

v1.0.0

Initialize and configure Traefik reverse proxy with Docker. Install Traefik, configure Docker Compose, set up service routing via path prefix or host-based r...

0· 328·0 current·0 all-time
by@le-shi
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the assets and runtime instructions: docker-compose and a dynamic Traefik config are provided. The requested filesystem mounts and commands (docker compose up, docker network connect) are expected for running Traefik with Docker.
Instruction Scope
Instructions stay within the stated scope (install/configure Traefik). However the provided examples and docker-compose defaults enable an insecure dashboard (--api.insecure=true / exposed dashboard hostname) and instruct mounting /var/run/docker.sock into the traefik container. Those are functional for the goal but raise security concerns (dashboard exposure, high privilege via Docker socket).
Install Mechanism
This is an instruction-only skill with no install spec or external downloads. Nothing is written to disk by the skill itself beyond the user's creation of the compose files provided as templates.
Credentials
No environment variables or external credentials are requested (proportional). That said, the recommended mount of /var/run/docker.sock grants the Traefik container effective control over the Docker host (common for providers but high privilege). Example basicAuth uses a hardcoded bcrypt string in docs—fine as an example but users must replace it with real credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent platform privileges. It's instruction-only and does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says (set up Traefik via Docker Compose) but includes insecure defaults you should fix before deploying: - Mounting /var/run/docker.sock into a container gives that container high privileges over your host. Only do this on trusted hosts and understand the risk; a read-only mount flag does not reliably prevent privileged actions. - The provided docker-compose enables an insecure dashboard (--api.insecure=true) and exposes the dashboard via a public hostname example (nip.io). If you run this on a network reachable from the internet, an attacker could access the Traefik admin UI. Remove --api.insecure=true, restrict the dashboard to an internal network or localhost, and protect it with authentication (basicAuth) or firewall rules. - Replace example/basicAuth password hashes with your own securely generated credentials; do not reuse the example hash in production. - If you need public TLS, configure ACME carefully (provide a valid email and secure storage for acme.json) and consider rate limits and domain ownership implications of using nip.io. Recommended immediate changes before use: remove or restrict --api.insecure=true, bind the dashboard to an internal entrypoint, enable authenticated access, limit exposure of services via firewall, and understand the implications of mounting the Docker socket. If you want, I can provide a hardened docker-compose.yml and traefik-dynamic.yml with safer defaults.

Like a lobster shell, security has layers — review code before you run it.

1.0.0vk97d6fwr9dmytap94ws37139098285cwlatestvk97d6fwr9dmytap94ws37139098285cw
328downloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
@le-shi
1.0.0latest
Download

Initial Traefik

Initialize and configure Traefik v3 reverse proxy with Docker Compose for service routing and load balancing.

Quick Start

1. Create Configuration

mkdir -p ~/.docker/compose
cd ~/.docker/compose

2. Create docker-compose.yml

Use assets/docker-compose.yml as template. Key configuration:

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik-dynamic.yml:/etc/traefik/dynamic.yml:ro
    command:
      - --api=true
      - --api.dashboard=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/etc/traefik
      - --providers.file.watch=true
      - --entrypoints.web.address=:80
      - --accesslog=true
      - --metrics.prometheus=true

3. Create Dynamic Configuration

Use assets/traefik-dynamic.yml as template for service routing.

4. Start Traefik

docker compose up -d

5. Connect Services to Network

for container in <service-names>; do
  docker network connect compose_default $container
done

Routing Options

Option A: Path Prefix Routing (IP + Path)

Access services via http://<IP>/<service>:

http:
  routers:
    n8n:
      rule: "PathPrefix(`/n8n`)"
      service: n8n
      entryPoints:
        - web
      middlewares:
        - n8n-stripprefix
  
  middlewares:
    n8n-stripprefix:
      stripPrefix:
        prefixes:
          - /n8n
  
  services:
    n8n:
      loadBalancer:
        servers:
          - url: "http://n8n:5678"

Access: http://192.168.9.192/n8n

Option B: Host-Based Routing (.nip.io)

Access services via http://<service>.<IP>.nip.io:

http:
  routers:
    n8n:
      rule: "Host(`n8n.192.168.9.192.nip.io`)"
      service: n8n
      entryPoints:
        - web
  
  services:
    n8n:
      loadBalancer:
        servers:
          - url: "http://n8n:5678"

Access: http://n8n.192.168.9.192.nip.io

Option C: Docker Labels

Configure routing directly in docker-compose.yml labels:

services:
  traefik:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.dashboard.rule=Host(`traefik.192.168.9.192.nip.io`)"
      - "traefik.http.routers.dashboard.service=api@internal"
      - "traefik.http.routers.dashboard.entrypoints=web"

Enable Features

See references/features.md for complete feature list and configuration.

Common Tasks

Add New Service

  1. Connect container to network:

    docker network connect compose_default <container-name>

  2. Add router to traefik-dynamic.yml:

    routers:
  myservice:
    rule: "PathPrefix(`/myservice`)"
    service: myservice
    entryPoints:
      - web
    middlewares:
      - myservice-stripprefix

services:
  myservice:
    loadBalancer:
      servers:
        - url: "http://<container-name>:<port>"

Traefik auto-reloads configuration.

Check Status

docker logs traefik | grep -E "router|error"
docker exec traefik wget -q -O - http://localhost:8080/api/http/routers

Restart Traefik

docker restart traefik

References

  • Features: See references/features.md for all available features
  • Examples: See references/examples.md for common configurations
  • Templates: See assets/ for configuration templates

Troubleshooting

  • 404 errors: Check container is connected to compose_default network
  • Configuration not loading: Check traefik-dynamic.yml YAML syntax
  • Service not accessible: Verify container name and port in service configuration
  • Dashboard not working: Ensure --api.dashboard=true is in command

Comments

Loading comments...