← Back to Skills Marketplace
118
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install boxed-http-server
Description
WebAssembly sandbox static HTTP server with HTTP Basic auth and proxy support. Use when starting a static file server, configuring HTTP authentication, setti...
README (SKILL.md)
boxed-http-server
A lightweight static HTTP server based on WebAssembly sandbox, with support for HTTP Basic authentication and HTTP proxy/reverse proxy.
Trigger When
Use this skill when the user describes (触发场景):
- Starting a static file server (启动静态文件服务器)
- Configuring HTTP Basic authentication (配置 HTTP 认证)
- Setting up HTTP proxy or reverse proxy (设置 HTTP 代理或反向代理)
- Running a local development server (搭建本地开发服务器)
- Deploying a static website (部署静态网站)
- Adding authentication to a static site (为静态网站添加认证保护)
Prerequisites
- openclaw-wasm-sandbox plugin: Must be installed and enabled, version
>=0.4.0 - wasm file download: Download required before first use
Download wasm File
wasm-sandbox-download({
url: "https://raw.githubusercontent.com/guyoung/wasm-sandbox-openclaw-skills/main/boxed-http-server/files/boxed_http_server_component.wasm",
dest: "~/.openclaw/skills/boxed-http-server/files/boxed_http_server_component.wasm"
})
Or via command line:
curl -L -o ~/.openclaw/skills/boxed-http-server/files/boxed_http_server_component.wasm \
"https://raw.githubusercontent.com/guyoung/wasm-sandbox-openclaw-skills/main/boxed-http-server/files/boxed_http_server_component.wasm"
Start Static File Server
wasm-sandbox-serve({
wasmFile: "~/.openclaw/skills/boxed-http-server/files/boxed_http_server_component.wasm",
workDir: ["~/.openclaw/skills/boxed-http-server/files"]
})
Or via command line:
openclaw wasm-sandbox serve ~/.openclaw/skills/boxed-http-server/files/boxed_http_server_component.wasm \
-i 192.168.1.100 -p 8080 --work-dir /path/to/website
HTTP Basic Authentication
Protect your website with username/password authentication:
wasm-sandbox-serve({
wasmFile: "~/.openclaw/skills/boxed-http-server/files/boxed_http_server_component.wasm",
workDir: ["~/.openclaw/skills/boxed-http-server/files"],
args: ["--config-var", "username=admin", "--config-var", "password=admin"]
})
HTTP Proxy / Reverse Proxy
Proxy external APIs through the server. Requires allowedOutboundHosts for the target domain:
wasm-sandbox-serve({
wasmFile: "~/.openclaw/skills/boxed-http-server/files/boxed_http_server_component.wasm",
workDir: ["~/.openclaw/skills/boxed-http-server/files"],
allowedOutboundHosts: ["https://httpbin.org"],
args: ["--config-var", "proxy=\"[{\\\"path\\\": \\\"/httpbin\\\",\\\"target\\\" :\\\"https://httpbin.org\\\",\\\"headers\\\": {\\\"Authorization\\\": \\\"Bearer abcd1234\\\"}}]\""]
})
Combined Example: Static Site + API Proxy
Serve a static website while proxying external APIs to avoid CORS issues:
wasm-sandbox-serve({
wasmFile: "~/.openclaw/skills/boxed-http-server/files/boxed_http_server_component.wasm",
workDir: ["/home/user/website"],
allowedOutboundHosts: ["https://api.weather.com", "https://wttr.in"],
args: ["--config-var", "proxy=\"[{\\\"path\\\": \\\"/weather\\\",\\\"target\\\": \\\"https://wttr.in\\\"}]\""]
})
Then update your frontend to call /weather instead of the external API directly.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
wasmFile |
string | Yes | Path to the wasm component file |
workDir |
string[] | Yes | Website root directories (served as static files) |
allowedOutboundHosts |
string[] | No | Allowed external domains for proxy mode |
args |
string[] | No | Command-line args for auth and proxy config |
CLI Options (for openclaw wasm-sandbox serve)
| Option | Short | Description |
|---|---|---|
--ip \x3Cip> |
-i |
Socket IP to bind to |
--port \x3Cport> |
-p |
Socket port to bind to (0-65535) |
--work-dir \x3Cdir> |
Website root directory | |
--config-var \x3Cvar> |
WASI config variables | |
--allowed-outbound-hosts \x3Chosts> |
Allowed external domains (proxy mode) |
Available args Config
--config-var username=\x3Cusername>- Set Basic auth username--config-var password=\x3Cpassword>- Set Basic auth password--config-var proxy=\x3CJSON>- Set proxy rules in JSON format
proxy Config Format
[
{
"path": "/httpbin",
"target": "https://httpbin.org",
"headers": {
"Authorization": "Bearer abcd1234"
}
}
]
| Field | Type | Description |
|---|---|---|
path |
string | Proxy path prefix (requests matching this prefix will be proxied) |
target |
string | Target full URL |
headers |
object | Optional custom headers to add to the proxied request |
Security Model
Boxed HTTP Server runs inside WebAssembly sandbox with capability-based security:
- No implicit access: WASM module has zero access by default
- Explicit grants only: Access must be explicitly allowed via configuration
- Network isolation: Outbound network access is denied by default
- Resource limits: Supports timeout, memory, stack size, and fuel limits
Architecture
User Request
↓
OpenClaw Gateway
↓
Wasm Sandbox Plugin
↓
boxed_http_server_component.wasm
↓
├── Static File Handler (workDir)
├── Basic Auth Handler (args: username/password)
└── Proxy Handler (args: proxy config)
↓
Response to Client
Example: Full Deployment
Deploy a static website at http://192.168.158.134:8080:
# 1. Download wasm file (if not exists)
curl -L -o ~/.openclaw/skills/boxed-http-server/files/boxed_http_server_component.wasm \
"https://raw.githubusercontent.com/guyoung/wasm-sandbox-openclaw-skills/main/boxed-http-server/files/boxed_http_server_component.wasm"
# 2. Start server
openclaw wasm-sandbox serve \
~/.openclaw/skills/boxed-http-server/files/boxed_http_server_component.wasm \
-i 192.168.158.134 \
-p 8080 \
--work-dir /home/user/website
Troubleshooting
| Issue | Solution |
|---|---|
| "wasm file not found" | Run the download step first |
| "Connection refused" | Check IP and port, ensure firewall allows access |
| "CORS errors in frontend" | Use proxy mode to route external APIs through the server |
| "Authentication not working" | Ensure username and password are set in args |
| "Proxy returns 403" | Add target domain to allowedOutboundHosts |
Usage Guidance
This skill appears to do what it says, but before installing or running it: 1) Inspect and verify the wasm component (the raw.githubusercontent.com URL) — prefer a released artifact with a checksum or a trusted repo/maintainer. 2) Avoid placing secrets (API keys, bearer tokens, passwords) directly into static args/config; supply them via secure channels and short-lived tokens. 3) Run the server in an isolated/test environment first (not on production hosts), limit bind IP/port and firewall exposure, and restrict allowedOutboundHosts to only needed domains. 4) Review the openclaw-wasm-sandbox plugin version and its capability grants (ensure the wasm is given only the minimal network/file rights it needs). If you cannot validate the wasm binary's origin or contents, treat the download as untrusted and do not run it on sensitive systems.
Capability Analysis
Type: OpenClaw Skill
Name: boxed-http-server
Version: 1.0.1
The boxed-http-server skill provides a WebAssembly-based static HTTP server with support for Basic authentication and reverse proxying. It downloads a WASM component from a GitHub repository (github.com/guyoung) and executes it within the OpenClaw WASM sandbox. While the skill requests file system and network access, these capabilities are directly aligned with its stated purpose of serving files and proxying requests, and no evidence of malicious intent or prompt injection was found in the instructions or configuration.
Capability Assessment
Purpose & Capability
Name/description describe a wasm-based static HTTP server and the SKILL.md only requires the wasm-sandbox plugin and a wasm component file; no unrelated env vars, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are limited to downloading a wasm component into ~/.openclaw/skills/boxed-http-server/files, starting the wasm sandbox server, binding to IP/port, serving a workDir, and configuring optional proxy/auth. This stays within the stated purpose, but it explicitly writes a downloaded binary to disk and runs a network-facing server and proxy — both of which merit review before use. The examples also demonstrate embedding Authorization headers in proxy config (user-supplied secrets).
Install Mechanism
No formal install spec, but the SKILL.md instructs downloading a wasm file from https://raw.githubusercontent.com/... — GitHub raw is a common host, but the raw URL may contain arbitrary code. The wasm will be written to disk and executed by the wasm sandbox; consider verifying provenance and checksum of the wasm binary.
Credentials
The skill requests no environment variables or credentials. The only credential-like content appears in examples (proxy Authorization header) which are user-supplied configuration values — avoid embedding secrets in persistent args or public examples.
Persistence & Privilege
Skill is instruction-only, does not set always:true, and does not request system-wide config changes. It writes files under the skill directory (~/.openclaw/skills/...), which is expected for skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install boxed-http-server - After installation, invoke the skill by name or use
/boxed-http-server - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Expanded documentation with more usage scenarios and trigger conditions, including deployment, authentication protection, and static website use cases.
- Added step-by-step CLI usage examples alongside code snippets.
- Included a detailed security model and architecture overview.
- Improved explanation of parameters and configuration, including CLI options and proxy config format.
- Added troubleshooting section for common issues and solutions.
v1.0.0
Initial release of boxed-http-server.
- Provides a lightweight static HTTP server using a WebAssembly sandbox.
- Supports HTTP Basic authentication and HTTP proxy (including reverse proxy).
- Requires the openclaw-wasm-sandbox plugin (version >= 0.4.0) and separate wasm file download.
- Includes configuration options for static file roots, authentication credentials, proxy rules, and outbound host allowlists.
- Suitable for quickly starting static servers, enabling authentication, setting up proxies, or running a local dev server.
Metadata
Frequently Asked Questions
What is Boxed HTTP Server?
WebAssembly sandbox static HTTP server with HTTP Basic auth and proxy support. Use when starting a static file server, configuring HTTP authentication, setti... It is an AI Agent Skill for Claude Code / OpenClaw, with 118 downloads so far.
How do I install Boxed HTTP Server?
Run "/install boxed-http-server" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Boxed HTTP Server free?
Yes, Boxed HTTP Server is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Boxed HTTP Server support?
Boxed HTTP Server is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Boxed HTTP Server?
It is built and maintained by guyoung (@guyoung); the current version is v1.0.1.
More Skills