ClawHub

Nginx Proxy Manager

v1.0.0

Manage Nginx Proxy Manager (NPM) for reverse proxy and SSL termination to internal services like staging/prod apps. Use when creating/updating proxy hosts, r...

0· 395·4 current·4 all-time
by@mw-slc
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description align with the instructions: creating/updating proxy hosts, requesting Let's Encrypt certs, enforcing HTTPS, websocket support, and routing to upstreams. Nothing in the SKILL.md unexpectedly requests unrelated cloud providers, system-level credentials, or other services.
Instruction Scope
Runtime instructions are narrowly scoped to NPM operations (check DNS, call NPM API token endpoint, create/update proxy hosts, check certificates). They do not instruct the agent to read unrelated files, system credentials, or transmit data to third-party endpoints outside of the described workflow.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — minimal risk from installation. The skill relies on normal tooling (curl) but does not force any downloads or archive extraction.
Credentials
SKILL.md recommends environment variables (NPM_BASE_URL, NPM_IDENTITY, NPM_SECRET) and shows an example curl token request, but the registry metadata lists no required env vars. This is a minor metadata mismatch (recommended vs declared). The requested variables themselves are proportional and expected for authenticating to NPM; do not provide them in-line — use secure agent secret storage as advised.
Persistence & Privilege
The skill does not request permanent 'always' presence and has default autonomous invocation settings. It does not ask to modify other skills or system-wide config. Normal agent autonomy applies and is appropriate for this task.
Assessment
This skill appears to do what it says: manage Nginx Proxy Manager via its API. Before using it, keep these simple precautions: (1) don't paste NPM_IDENTITY/NPM_SECRET into chat — store them in your agent's secret store or an external vault and only grant the skill access to those secrets when needed; (2) verify the agent will limit changes to the intended environment (use staging first and snapshot/export NPM config before touching production); (3) note the small metadata mismatch: SKILL.md recommends env vars that the registry didn't mark as required — treat them as sensitive and configure them securely; (4) if you need tighter control, require explicit human approval before the skill makes changes to production domains.

Like a lobster shell, security has layers — review code before you run it.

latestvk970mpezjd4gjk0sdmmxnsmwyx823kk1
395downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@mw-slc
latest
Download

Nginx Proxy Manager Workflow

Use this skill to terminate SSL at NPM and route traffic to backend services (staging/prod).

Required inputs

  • Domain/subdomain (e.g. staging.example.com)
  • Public DNS already pointing to NPM public IP
  • Upstream target host/IP + port (e.g. 10.10.10.227:3000)
  • Whether Cloudflare proxy is enabled (if used)

Authentication (do not hardcode secrets)

Store credentials outside this skill (local secret file or environment variables).

Recommended env vars:

  • NPM_BASE_URL (e.g. http://<npm-host>:81)
  • NPM_IDENTITY
  • NPM_SECRET

Example token request:

curl -sS -X POST "$NPM_BASE_URL/api/tokens" \
  -H 'Content-Type: application/json; charset=UTF-8' \
  --data "{\"identity\":\"$NPM_IDENTITY\",\"secret\":\"$NPM_SECRET\"}"

Standard setup flow

  1. Confirm DNS resolves to NPM public IP.
  2. Create or update Proxy Host in NPM:
    • Domain Names: requested host(s)
    • Scheme: http (or https if upstream is TLS)
    • Forward Hostname/IP: upstream IP/hostname
    • Forward Port: app port
    • Enable:
      • Block Common Exploits
      • Websockets Support
  3. SSL tab:
    • Request new SSL certificate (Let's Encrypt)
    • Enable Force SSL
    • Enable HTTP/2 Support
    • Enable HSTS only after validation
  4. Save and verify:
    • curl -I https://<domain> returns 200/301
    • Browser check for valid certificate and app reachability

Recommended defaults

  • Keep upstream as private IP where possible.
  • Use separate hostnames per environment:
    • app.example.com → production
    • staging.example.com → staging
  • Avoid wildcard certificates unless explicitly needed.

Troubleshooting

  • Certificate issuance fails:
    • Check DNS A/AAAA records
    • Ensure ports 80/443 reach NPM
    • Disable conflicting CDN TLS mode or set to Full/Strict appropriately
  • 502 Bad Gateway:
    • Verify upstream container/service is running
    • Verify correct target port and local firewall rules
  • Redirect loops:
    • Don’t double-force HTTPS (app + proxy misconfiguration)

Publication hygiene checklist

Before sharing/publishing this skill:

  • Remove all real IPs, domains, emails, and tokens.
  • Keep only placeholders like example.com and <npm-host>.
  • Ensure no local credential file paths or secret values are included.

Safety rules

  • Never remove existing production proxy hosts unless explicitly requested.
  • For changes on production domains, snapshot/export config or document previous values first.
  • Apply changes to staging first when possible.

Comments

Loading comments...