Boxed HTTP Server
v1.0.1WebAssembly sandbox static HTTP server with HTTP Basic auth and proxy support. Use when starting a static file server, configuring HTTP authentication, setti...
⭐ 0· 19·0 current·0 all-time
by@guyoung
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description describe a wasm-based static HTTP server and the SKILL.md only requires the wasm-sandbox plugin and a wasm component file; no unrelated env vars, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are limited to downloading a wasm component into ~/.openclaw/skills/boxed-http-server/files, starting the wasm sandbox server, binding to IP/port, serving a workDir, and configuring optional proxy/auth. This stays within the stated purpose, but it explicitly writes a downloaded binary to disk and runs a network-facing server and proxy — both of which merit review before use. The examples also demonstrate embedding Authorization headers in proxy config (user-supplied secrets).
Install Mechanism
No formal install spec, but the SKILL.md instructs downloading a wasm file from https://raw.githubusercontent.com/... — GitHub raw is a common host, but the raw URL may contain arbitrary code. The wasm will be written to disk and executed by the wasm sandbox; consider verifying provenance and checksum of the wasm binary.
Credentials
The skill requests no environment variables or credentials. The only credential-like content appears in examples (proxy Authorization header) which are user-supplied configuration values — avoid embedding secrets in persistent args or public examples.
Persistence & Privilege
Skill is instruction-only, does not set always:true, and does not request system-wide config changes. It writes files under the skill directory (~/.openclaw/skills/...), which is expected for skills.
Assessment
This skill appears to do what it says, but before installing or running it: 1) Inspect and verify the wasm component (the raw.githubusercontent.com URL) — prefer a released artifact with a checksum or a trusted repo/maintainer. 2) Avoid placing secrets (API keys, bearer tokens, passwords) directly into static args/config; supply them via secure channels and short-lived tokens. 3) Run the server in an isolated/test environment first (not on production hosts), limit bind IP/port and firewall exposure, and restrict allowedOutboundHosts to only needed domains. 4) Review the openclaw-wasm-sandbox plugin version and its capability grants (ensure the wasm is given only the minimal network/file rights it needs). If you cannot validate the wasm binary's origin or contents, treat the download as untrusted and do not run it on sensitive systems.Like a lobster shell, security has layers — review code before you run it.
latestvk976j70cpvs9mrs5p93dhk49y984nx57
License
MIT-0
Free to use, modify, and redistribute. No attribution required.