← 返回 Skills 市场
196
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install nginx-explorer
功能描述
Explore nginx-proxied directories to discover tools and utilities. Use when: user asks to explore available tools, find utilities for specific tasks, or when...
安全使用建议
This skill does what it says (discover and use tools on an nginx index), but it also instructs the agent to download and execute arbitrary code from the configured server — a high-risk operation if the server or its contents are not fully trusted. Before enabling or running this skill:
- Only point NGINX_URL at servers you fully trust (ideally internal, isolated hosts). Do not use public or untrusted servers.
- Require manual confirmation before any download+execute step (the skill currently describes automatic execution without enforced confirmation).
- Add explicit required binaries to the skill configuration (python, pip, tar/unzip, bash) or restrict the skill to read-only discovery if you cannot guarantee runtimes.
- Run any downloaded tools in an isolated sandbox or container, and inspect README and code before executing. Consider forbidding pip install from remote requirements.txt or pre-vetting the dependencies.
- Set NGINX_SKIP_SSL_VERIFY to false unless you control the server and accept the risk of skipping verification; defaulting to true is risky.
- If you need stronger guarantees, request the author add signature verification, allowlists, or a mode that returns README contents only (no download/execute).
Given the mismatch between declared requirements and the described execution behavior and the lack of safeguards, proceed with caution — this is suspicious but not obviously malicious; additional safeguards or author clarifications would reduce risk.
功能分析
Type: OpenClaw Skill
Name: nginx-explorer
Version: 1.0.0
The nginx-explorer skill facilitates remote code execution (RCE) by design, instructing the AI agent to discover, download, and execute arbitrary scripts (shell, python) from a user-configured Nginx server. Key indicators include instructions in SKILL.md to use 'chmod +x' and 'pip install -r requirements.txt' on remote content, combined with an insecure default that skips SSL verification (NGINX_SKIP_SSL_VERIFY: true). While these capabilities are highly risky and could be easily exploited if the NGINX_URL points to a malicious source, the provided files lack evidence of a hardcoded malicious payload or intentional data exfiltration.
能力评估
Purpose & Capability
The skill is described as an nginx directory explorer and the required primaryEnv (NGINX_URL) and curl binary match that purpose. However, the SKILL.md and README show workflows that download and execute Python scripts and install pip requirements, yet the skill does not declare Python, pip, or other runtime binaries as required. That mismatch (declared requirements too narrow for described behavior) is an incoherence to be aware of.
Instruction Scope
Runtime instructions explicitly tell the agent to enumerate directories, read README.md files, download arbitrary files (scripts/archives), run pip install -r requirements.txt, chmod +x and execute downloaded tools. Those actions permit arbitrary remote code execution and potential data exfiltration or lateral movement. The instructions lack explicit, enforced safeguards (user confirmation, sandboxing, integrity checks, allowlists) and are broad enough to let an agent autonomously fetch and run untrusted code.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to run at install time, which minimizes install-time risk. There is nothing being downloaded or installed by the installer itself.
Credentials
The only required environment variable declared is NGINX_URL (plus optional NGINX_SKIP_SSL_VERIFY). That is appropriate for discovery. However, the skill’s instructions assume other capabilities (python, pip, write access to /tmp or a downloadDir) but do not declare them as required — this under-declaration reduces transparency and may cause unexpected runtime behavior or privilege use.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. That is appropriate and avoids forced inclusion. One important note: because the platform allows autonomous invocation by default, the combination of autonomous invocation plus the skill's ability to fetch and execute remote code increases the operational risk if the agent is permitted to call the skill without human oversight.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install nginx-explorer - 安装完成后,直接呼叫该 Skill 的名称或使用
/nginx-explorer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of nginx-explorer skill.
- Enables exploration of nginx-proxied directory structures to discover available tools and utilities.
- Fetches directory listings and reads README.md files in each directory for tool descriptions and usage instructions.
- Requires configuration of the base nginx URL; supports optional SSL verification skipping for internal/self-signed environments.
- Integrates with OpenClaw workflows to aid in tool discovery and selection when conventional solutions fail.
- Provides bash workflow examples for discovering, searching, downloading, and running tools from the nginx-served directories.
元数据
常见问题
nginx-explorer 是什么?
Explore nginx-proxied directories to discover tools and utilities. Use when: user asks to explore available tools, find utilities for specific tasks, or when... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 196 次。
如何安装 nginx-explorer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install nginx-explorer」即可一键安装,无需额外配置。
nginx-explorer 是免费的吗?
是的,nginx-explorer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
nginx-explorer 支持哪些平台?
nginx-explorer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 nginx-explorer?
由 shaojun0(@shaojun0)开发并维护,当前版本 v1.0.0。
推荐 Skills