ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Static Server

v1.0.0

Start a local HTTP server to preview static HTML pages. Use when testing static pages, previewing HTML files, or when browser tools cannot access file:// URL...

0· 401·2 current·2 all-time
by@liujintao-2021
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, and the included scripts all align: the skill is a small Python static-file server for previewing HTML. However, the code binds to all interfaces (socketserver.TCPServer(('', port))) while the description repeatedly refers to 'localhost' URLs; this is a notable mismatch between the claimed 'local-only' purpose and the actual network binding.
!
Instruction Scope
Instructions are limited to starting the server, opening a browser, and killing the process—appropriate for the stated purpose. Concern: the examples assume local-only access (http://localhost:PORT) but the server listens on all interfaces, which may expose served files to other hosts on the network. Also the alternative one-liner (python -m http.server) similarly defaults to listening on all interfaces in many environments.
Install Mechanism
No install spec; this is an instruction-only skill with a small included Python script. Nothing is written to disk by an installer and no external downloads are performed.
Credentials
No environment variables, credentials, or config paths are requested; the skill's requirements are minimal and proportionate to a local static server.
Persistence & Privilege
The skill is user-invocable, not always-enabled, and does not request persistent system privileges or modify other skills. Autonomous invocation is allowed by default but is not combined with other concerning privileges.
What to consider before installing
This skill is functionally coherent and contains no credential or install requirements, but take these precautions before using it: - Network exposure: the script binds to all interfaces (0.0.0.0) even though it advertises 'localhost'. If you only want local access, modify the bind to 127.0.0.1 (e.g., socketserver.TCPServer(('127.0.0.1', port), Handler)) or use an equivalent API that allows binding to localhost. - Do not serve directories containing secrets (SSH keys, config files, .env files). The server serves the whole directory tree you point it at. - Run as an unprivileged user and pick a non-conflicting port. Confirm your firewall or NAT does not forward the chosen port to the public internet. - If you cannot change the script, prefer running it from a dedicated temporary directory containing only files you intend to expose. If you accept the small change to bind only to localhost and follow the precautions above, the skill is reasonable for local static previewing. Otherwise, treat it as potentially exposing files on your local network.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ctpd2jxr1hwfstggj45kz4h829zfg
401downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@liujintao-2021
latest
Download

Static Server

Start a Python HTTP server to preview static HTML files in a browser.

When to Use

  • Testing static HTML pages
  • Previewing web pages before deployment
  • When browser tools block file:// protocol
  • Need a localhost URL for browser automation

Quick Start

Use the bundled script to start a server:

python scripts/serve.py <path> [--port PORT]

Arguments:

  • <path>: File path (serves parent directory) or directory path
  • --port: Optional port number (default: 8000)

Examples:

# Serve a specific HTML file
python scripts/serve.py /path/to/index.html

# Serve a directory
python scripts/serve.py /path/to/project

# Use custom port
python scripts/serve.py /path/to/index.html --port 9000

Output

The script prints:

  • Access URL: http://localhost:PORT/filename.html
  • Directory being served
  • Instructions to stop (Ctrl+C)

Usage in Testing

When testing static pages with browser tools:

  1. Start server with exec (background mode)
  2. Use the localhost URL with browser tools
  3. Complete testing
  4. Kill the server process

Example workflow:

// 1. Start server in background
exec({
  command: "python scripts/serve.py /path/to/index.html --port 8888",
  background: true
})

// 2. Open in browser
browser({
  action: "open",
  targetUrl: "http://localhost:8888/index.html"
})

// 3. Test and screenshot
browser({ action: "screenshot", fullPage: true })

// 4. Clean up
process({ action: "kill", sessionId: "..." })
browser({ action: "close" })

Alternative: One-liner

For quick testing without the script:

python -m http.server 8000 --directory /path/to/dir

Note: This serves the directory root, not a specific file.

Comments

Loading comments...