← Back to Skills Marketplace
brennerspear

Dev Serve

by BrennerSpear · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
471
Downloads
0
Stars
3
Active Installs
1
Versions
Install in OpenClaw
/install dev-serve
Description
Start and manage tmux-backed dev servers exposed through Caddy at wildcard subdomains.
README (SKILL.md)

dev-serve — One-Command Dev Server Hosting

Start a dev server in a tmux session and expose it via Caddy at \x3Cproject>.YOUR_DOMAIN. One command up, one command down.

Setup

  1. Install the script:

    cp scripts/dev-serve.sh ~/.local/bin/dev-serve
chmod +x ~/.local/bin/dev-serve

  2. Set your domain (one of):

    • Export DEV_SERVE_DOMAIN in your shell profile
    • Or edit the DOMAIN variable in the script

  3. Requirements:

    • Caddy running with wildcard DNS + TLS (see caddy skill)
    • tmux, jq, curl
    • Caddy admin API on localhost:2019

CLI

dev-serve up \x3Crepo-path> [port]      # Start dev server + add Caddy route
dev-serve down \x3Cname>                # Stop dev server + remove Caddy route
dev-serve ls                         # List active dev servers
dev-serve restart \x3Cname>             # Restart dev server (keep Caddy route)

How It Works

  1. Derives subdomain from the repo folder name (~/projects/myappmyapp.YOUR_DOMAIN)
  2. Detects the dev command from package.json scripts.dev (supports vite, next, nuxt, sveltekit)
  3. Auto-patches Vite allowedHosts if a vite config file exists
  4. Starts the dev server in a tmux session named dev-\x3Cname> with --host 0.0.0.0 --port \x3Cport>
  5. Adds a Caddy route + dashboard link to the Caddyfile
  6. Reloads Caddy via admin API (no sudo, no restart)
  7. Verifies end-to-end: waits for the dev server to listen, then polls HTTPS until 2xx/3xx (up to 90s)

Examples

# Start with auto-assigned port (starts at 5200, skips used ports)
dev-serve up ~/projects/myapp
# → https://myapp.YOUR_DOMAIN

# Explicit port
dev-serve up ~/projects/myapp 5200

# Override dev command
DEV_CMD="bun dev" dev-serve up ~/projects/myapp 5300

# Stop and clean up
dev-serve down myapp

# List what's running
dev-serve ls

Configuration

Variable Default Description
DEV_SERVE_DOMAIN (must be set) Your wildcard domain (e.g. mini.example.com)
DEV_SERVE_STATE_DIR ~/.config/dev-serve Where state JSON is stored
CADDYFILE ~/.config/caddy/Caddyfile Path to your Caddyfile
CADDY_ADMIN http://localhost:2019 Caddy admin API address
DEV_CMD (auto-detected) Override the dev server command

Port Convention

  • Permanent services: 3100 range (managed in Caddyfile directly)
  • Dev servers: 5200+ (managed by dev-serve, auto-assigned)

Vite allowedHosts

Vite blocks requests from unrecognized hostnames. dev-serve up automatically patches vite.config.ts (or .js/.mts/.mjs) to add the subdomain. If auto-patching fails, it prints the manual fix.

Architecture

Browser (Tailscale / LAN / etc.)
  → DNS: *.YOUR_DOMAIN → your server IP
    → Caddy (HTTPS with auto certs)
      → reverse_proxy localhost:\x3Cport>
        → Dev server (in tmux session)

Companion Skills

  • caddy — Required. Sets up the Caddy reverse proxy with wildcard TLS.

Troubleshooting

Dev server not starting:

tmux attach -t dev-\x3Cname>    # see what happened

Cert not provisioning (curl exit 35): Wait 30-60s for DNS-01 challenge. Check tail -20 /var/log/caddy-error.log.

Caddy reload failed:

caddy reload --config ~/.config/caddy/Caddyfile --address localhost:2019

403 from Vite: The subdomain wasn't added to allowedHosts. Add it manually to your vite.config.ts:

server: { allowedHosts: ['myapp.YOUR_DOMAIN'] }
Usage Guidance
Before installing/running this skill: 1) Inspect the provided scripts/dev-serve.sh yourself — it will edit your ~/.config/caddy/Caddyfile and may patch source files in your repo (vite configs). 2) Set and verify DEV_SERVE_DOMAIN before running; the script will exit if this env var is not set (the registry metadata did not declare this requirement). 3) Back up your Caddyfile and any repo files you care about. 4) Ensure the Caddy admin API (http://localhost:2019) is only reachable locally and not exposed to untrusted networks — the script will POST your Caddyfile to that endpoint. 5) Confirm required binaries are present (tmux, jq, curl, lsof, sed, grep) and run the script on a machine where modifying reverse-proxy config and running arbitrary dev commands is acceptable. 6) Prefer obtaining this tool from a named, trusted source or repository (homepage/source is unknown); if the author or canonical repo is provided, re-evaluate after verifying that origin. If the metadata were corrected to list required env vars/binaries and the script included safe-guards (confirmation prompts or dry-run mode), my confidence would increase.
Capability Analysis
Type: OpenClaw Skill Name: dev-serve Version: 1.0.0 The skill is highly suspicious due to multiple critical vulnerabilities that allow remote code execution (RCE) and configuration injection. The `scripts/dev-serve.sh` script directly executes user-controlled commands derived from the `DEV_CMD` environment variable or the `scripts.dev` entry in a project's `package.json` file via `tmux send-keys`. This allows arbitrary shell commands to be executed. Additionally, user-controlled strings (derived from the repository name and `DEV_SERVE_DOMAIN`) are inserted into the `CADDYFILE` and `vite.config.*` files using `sed` without proper sanitization, creating Caddy configuration injection and JavaScript injection vulnerabilities. While these are vulnerabilities rather than explicit malicious intent by the skill developer, they pose a severe risk if the skill is used with untrusted input or if the AI agent is prompted to use it maliciously.
Capability Assessment
Purpose & Capability
The name and description match the script's behavior: it starts tmux sessions, chooses ports, edits a Caddyfile, calls the Caddy admin API, and patches project config files (vite). However the registry metadata declares no required env vars or binaries while the script requires DEV_SERVE_DOMAIN and relies on tmux, jq, curl, sed/awk/grep/lsof, etc. The missing metadata declarations are an incoherence that reduces trust.
Instruction Scope
SKILL.md and the script instruct the agent/user to copy a script that will: modify your Caddyfile, POST the Caddyfile to the Caddy admin API, auto-patch project source files (vite config), create/kill tmux sessions, and write state to ~/.config/dev-serve/state.json. Those actions are functionally within the stated purpose but are intrusive (editing server proxy config and source files) and should be explicitly highlighted to users — the instructions do not require explicit confirmation/backup before editing.
Install Mechanism
There is no automated install spec (user is told to cp the script to ~/.local/bin). That keeps risk lower than downloading/executing remote archives. The presence of a local script file means behavior is visible to review before installation.
Credentials
The script requires DEV_SERVE_DOMAIN (and respects CADDY_ADMIN, CADDYFILE, DEV_SERVE_STATE_DIR, DEV_CMD), but the registry metadata lists no required environment variables or primary credential. The missing declaration of DEV_SERVE_DOMAIN and the lack of declared required binaries is a mismatch. The script does not request external credentials, which is proportional to its purpose.
Persistence & Privilege
The skill does not request always:true and does not demand elevated system privileges. It will, however, modify user files (Caddyfile and repo config files) and reload Caddy via the admin API at localhost:2019; that API should be protected. These behaviors are necessary for operation but increase blast radius if run on a shared or exposed host.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install dev-serve
  3. After installation, invoke the skill by name or use /dev-serve
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial publish
Metadata
Slug dev-serve
Version 1.0.0
License
All-time Installs 3
Active Installs 3
Total Versions 1
Frequently Asked Questions

What is Dev Serve?

Start and manage tmux-backed dev servers exposed through Caddy at wildcard subdomains. It is an AI Agent Skill for Claude Code / OpenClaw, with 471 downloads so far.

How do I install Dev Serve?

Run "/install dev-serve" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Dev Serve free?

Yes, Dev Serve is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Dev Serve support?

Dev Serve is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Dev Serve?

It is built and maintained by BrennerSpear (@brennerspear); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments