Publish Website Traefik
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated purpose, but it uses powerful Docker/public-deployment actions with weak validation around user input and cleanup paths.
Review before installing. This skill is coherent for publishing static websites, but only run it with trusted, simple subdomain names and website folders meant to be public. Confirm that Docker, Traefik, and DNS are correctly configured, and consider hardening the scripts before use.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or attacker-influenced subdomain could alter or break the generated Docker configuration and cause unintended Docker resources to be started.
A user-supplied subdomain is inserted directly into Docker Compose YAML and then executed with Docker Compose, with no visible DNS-label validation or escaping.
SUBDOMAIN="$2" ... cat <<EOF > "$TEMP_DIR/docker-compose.yml" ... container_name: "${SUBDOMAIN}-web" ... docker compose up -dValidate the subdomain against a strict DNS-label pattern, reject slashes/newlines/quotes/special YAML characters, and generate Compose configuration using a safer templating approach.
If the deployment record is corrupted or poisoned, deletion could affect unintended directories or Docker Compose resources.
The cleanup path is read from persistent deployment state and then recursively deleted without checking that it is one of the script’s expected /tmp/traefik-deploy-* directories.
TEMP_DIR=$(echo "$DEPLOYMENT_INFO" | jq -r '.temp_dir') ... docker compose down -v ... rm -rf "$TEMP_DIR"
Canonicalize and validate temp_dir before use, require it to match the skill’s generated prefix, avoid deleting broad paths, and ask for confirmation before destructive cleanup.
Future deployments may run a different Nginx image than the one originally reviewed.
The deployment uses a mutable Docker image tag rather than a pinned digest.
image: nginx:alpine
Pin the Docker image to a specific version or digest and declare Docker, Docker Compose, and jq as required dependencies in metadata.
A deployed site and container can remain publicly reachable and consume resources until explicitly removed.
The script intentionally starts a detached container that persists after the immediate task until the delete script is run.
docker compose up -d ... Cleanup: To remove this deployment, use the delete_site.sh script
Only deploy content intended to be public, track active deployments, and use the delete script when the site should no longer be available.