← Back to Skills Marketplace
shaojun0

nginx-explorer

by shaojun0 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
196
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install nginx-explorer
Description
Explore nginx-proxied directories to discover tools and utilities. Use when: user asks to explore available tools, find utilities for specific tasks, or when...
Usage Guidance
This skill does what it says (discover and use tools on an nginx index), but it also instructs the agent to download and execute arbitrary code from the configured server — a high-risk operation if the server or its contents are not fully trusted. Before enabling or running this skill: - Only point NGINX_URL at servers you fully trust (ideally internal, isolated hosts). Do not use public or untrusted servers. - Require manual confirmation before any download+execute step (the skill currently describes automatic execution without enforced confirmation). - Add explicit required binaries to the skill configuration (python, pip, tar/unzip, bash) or restrict the skill to read-only discovery if you cannot guarantee runtimes. - Run any downloaded tools in an isolated sandbox or container, and inspect README and code before executing. Consider forbidding pip install from remote requirements.txt or pre-vetting the dependencies. - Set NGINX_SKIP_SSL_VERIFY to false unless you control the server and accept the risk of skipping verification; defaulting to true is risky. - If you need stronger guarantees, request the author add signature verification, allowlists, or a mode that returns README contents only (no download/execute). Given the mismatch between declared requirements and the described execution behavior and the lack of safeguards, proceed with caution — this is suspicious but not obviously malicious; additional safeguards or author clarifications would reduce risk.
Capability Analysis
Type: OpenClaw Skill Name: nginx-explorer Version: 1.0.0 The nginx-explorer skill facilitates remote code execution (RCE) by design, instructing the AI agent to discover, download, and execute arbitrary scripts (shell, python) from a user-configured Nginx server. Key indicators include instructions in SKILL.md to use 'chmod +x' and 'pip install -r requirements.txt' on remote content, combined with an insecure default that skips SSL verification (NGINX_SKIP_SSL_VERIFY: true). While these capabilities are highly risky and could be easily exploited if the NGINX_URL points to a malicious source, the provided files lack evidence of a hardcoded malicious payload or intentional data exfiltration.
Capability Assessment
Purpose & Capability
The skill is described as an nginx directory explorer and the required primaryEnv (NGINX_URL) and curl binary match that purpose. However, the SKILL.md and README show workflows that download and execute Python scripts and install pip requirements, yet the skill does not declare Python, pip, or other runtime binaries as required. That mismatch (declared requirements too narrow for described behavior) is an incoherence to be aware of.
Instruction Scope
Runtime instructions explicitly tell the agent to enumerate directories, read README.md files, download arbitrary files (scripts/archives), run pip install -r requirements.txt, chmod +x and execute downloaded tools. Those actions permit arbitrary remote code execution and potential data exfiltration or lateral movement. The instructions lack explicit, enforced safeguards (user confirmation, sandboxing, integrity checks, allowlists) and are broad enough to let an agent autonomously fetch and run untrusted code.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to run at install time, which minimizes install-time risk. There is nothing being downloaded or installed by the installer itself.
Credentials
The only required environment variable declared is NGINX_URL (plus optional NGINX_SKIP_SSL_VERIFY). That is appropriate for discovery. However, the skill’s instructions assume other capabilities (python, pip, write access to /tmp or a downloadDir) but do not declare them as required — this under-declaration reduces transparency and may cause unexpected runtime behavior or privilege use.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. That is appropriate and avoids forced inclusion. One important note: because the platform allows autonomous invocation by default, the combination of autonomous invocation plus the skill's ability to fetch and execute remote code increases the operational risk if the agent is permitted to call the skill without human oversight.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install nginx-explorer
  3. After installation, invoke the skill by name or use /nginx-explorer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of nginx-explorer skill. - Enables exploration of nginx-proxied directory structures to discover available tools and utilities. - Fetches directory listings and reads README.md files in each directory for tool descriptions and usage instructions. - Requires configuration of the base nginx URL; supports optional SSL verification skipping for internal/self-signed environments. - Integrates with OpenClaw workflows to aid in tool discovery and selection when conventional solutions fail. - Provides bash workflow examples for discovering, searching, downloading, and running tools from the nginx-served directories.
Metadata
Slug nginx-explorer
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is nginx-explorer?

Explore nginx-proxied directories to discover tools and utilities. Use when: user asks to explore available tools, find utilities for specific tasks, or when... It is an AI Agent Skill for Claude Code / OpenClaw, with 196 downloads so far.

How do I install nginx-explorer?

Run "/install nginx-explorer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is nginx-explorer free?

Yes, nginx-explorer is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does nginx-explorer support?

nginx-explorer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created nginx-explorer?

It is built and maintained by shaojun0 (@shaojun0); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments