ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nginx Hosting

v1.0.0

Zero-auth static game hosting via the server's local nginx instance. Primary deployment method for all browser games. No login, no token, no user action requ...

0· 119·0 current·0 all-time
by@rogerwu188
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (generic 'Nginx Hosting') align with the instructions (copy static files to an nginx-served directory and reload nginx). However the SKILL.md is tightly bound to a specific host/domain (roger-us02.clawln.net) and specific paths (/data/games/, /etc/nginx/ conf path, /usr/sbin/nginx). The registry metadata did not declare those host-specific paths or binaries — that's an inconsistency.
!
Instruction Scope
Runtime instructions tell the agent to copy arbitrary build files into /data/games/{game-name} and run '/usr/sbin/nginx -s reload'. Those actions require filesystem write access to a system webroot and the ability to control a system service (likely root). The instructions do not limit or validate the files being deployed and offer no guidance about permissions, ownership, or safety checks — this broad scope increases risk.
Install Mechanism
This is an instruction-only skill with no install spec or code to write to disk. That minimizes install-time risk.
!
Credentials
The skill declares no required env vars/config but the instructions reference sensitive system paths (/etc/nginx/conf.d/roger-us02.clawln.net.conf), the nginx binary (/usr/sbin/nginx), and a writable webroot (/data/games/). Those should have been declared as required config paths/binaries. The lack of declared requirements hides the privileged/system-level effects of running the skill.
!
Persistence & Privilege
The skill does not request 'always:true', but its actions require elevated privileges (writing to /data and reloading nginx). The skill does not document required permissions or recommend running in a sandbox. Because it enables unauthenticated public hosting by copying arbitrary files, it has a meaningful privilege/impact footprint that isn't surfaced in metadata.
What to consider before installing
This skill's instructions will copy files into /data/games/ and reload the host nginx service — actions that typically require root and will publish any deployed content publicly at the hardcoded domain. Before installing or invoking it: (1) verify you actually control roger-us02.clawln.net and the referenced nginx config and SSL cert; (2) confirm the agent will run with appropriate privileges (or run commands manually as an admin); (3) ask the author to list required binaries and config paths (/usr/sbin/nginx, /data/games/, /etc/nginx/...), and to provide safeguards (input validation, ownership/permission steps, sandboxing); (4) audit any files you deploy for malicious content and consider serving from a constrained account or container rather than the host nginx process; (5) if you don't trust the source or cannot validate the host/domain/config, do not run the automated instructions — run the steps manually in a controlled environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dahy8rz0bnyhrc2e340r9es836wgr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments