Dev Serve
v1.0.0Start and manage tmux-backed dev servers exposed through Caddy at wildcard subdomains.
0· 405·3 当前·3 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code mostly matches its described purpose (managing tmux-backed dev servers and editing Caddy routes), but the package metadata omits required environment variables and required binaries and the script performs intrusive edits to user files (Caddyfile and project configs), so the bundle is inconsistent and warrants caution.
评估建议
Before installing/running this skill: 1) Inspect the provided scripts/dev-serve.sh yourself — it will edit your ~/.config/caddy/Caddyfile and may patch source files in your repo (vite configs). 2) Set and verify DEV_SERVE_DOMAIN before running; the script will exit if this env var is not set (the registry metadata did not declare this requirement). 3) Back up your Caddyfile and any repo files you care about. 4) Ensure the Caddy admin API (http://localhost:2019) is only reachable locally and not ...详细分析 ▾
⚠ 用途与能力
The name and description match the script's behavior: it starts tmux sessions, chooses ports, edits a Caddyfile, calls the Caddy admin API, and patches project config files (vite). However the registry metadata declares no required env vars or binaries while the script requires DEV_SERVE_DOMAIN and relies on tmux, jq, curl, sed/awk/grep/lsof, etc. The missing metadata declarations are an incoherence that reduces trust.
⚠ 指令范围
SKILL.md and the script instruct the agent/user to copy a script that will: modify your Caddyfile, POST the Caddyfile to the Caddy admin API, auto-patch project source files (vite config), create/kill tmux sessions, and write state to ~/.config/dev-serve/state.json. Those actions are functionally within the stated purpose but are intrusive (editing server proxy config and source files) and should be explicitly highlighted to users — the instructions do not require explicit confirmation/backup before editing.
✓ 安装机制
There is no automated install spec (user is told to cp the script to ~/.local/bin). That keeps risk lower than downloading/executing remote archives. The presence of a local script file means behavior is visible to review before installation.
⚠ 凭证需求
The script requires DEV_SERVE_DOMAIN (and respects CADDY_ADMIN, CADDYFILE, DEV_SERVE_STATE_DIR, DEV_CMD), but the registry metadata lists no required environment variables or primary credential. The missing declaration of DEV_SERVE_DOMAIN and the lack of declared required binaries is a mismatch. The script does not request external credentials, which is proportional to its purpose.
ℹ 持久化与权限
The skill does not request always:true and does not demand elevated system privileges. It will, however, modify user files (Caddyfile and repo config files) and reload Caddy via the admin API at localhost:2019; that API should be protected. These behaviors are necessary for operation but increase blast radius if run on a shared or exposed host.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/25
Initial publish
● 可疑
安装命令 点击复制
官方npx clawhub@latest install dev-serve
镜像加速npx clawhub@latest install dev-serve --registry https://cn.clawhub-mirror.com
技能文档
Start a dev server in a tmux session and expose it via Caddy at
Setup
- Install the script:
cp scripts/dev-serve.sh ~/.local/bin/dev-serve
chmod +x ~/.local/bin/dev-serve
- Set your domain (one of):
DEV_SERVE_DOMAIN in your shell profile
- Or edit the DOMAIN variable in the script- Requirements:
tmux, jq, curl
- Caddy admin API on localhost:2019CLI
dev-serve up [port] # Start dev server + add Caddy route
dev-serve down # Stop dev server + remove Caddy route
dev-serve ls # List active dev servers
dev-serve restart # Restart dev server (keep Caddy route)
How It Works
- Derives subdomain from the repo folder name (
~/projects/myapp→myapp.YOUR_DOMAIN) - Detects the dev command from
package.jsonscripts.dev(supports vite, next, nuxt, sveltekit) - Auto-patches Vite
allowedHostsif a vite config file exists - Starts the dev server in a tmux session named
dev-with--host 0.0.0.0 --port - Adds a Caddy route + dashboard link to the Caddyfile
- Reloads Caddy via admin API (no sudo, no restart)
- Verifies end-to-end: waits for the dev server to listen, then polls HTTPS until 2xx/3xx (up to 90s)
Examples
# Start with auto-assigned port (starts at 5200, skips used ports)
dev-serve up ~/projects/myapp
# → https://myapp.YOUR_DOMAIN# Explicit port
dev-serve up ~/projects/myapp 5200
# Override dev command
DEV_CMD="bun dev" dev-serve up ~/projects/myapp 5300
# Stop and clean up
dev-serve down myapp
# List what's running
dev-serve ls
Configuration
| Variable | Default | Description |
|---|---|---|
DEV_SERVE_DOMAIN | (must be set) | Your wildcard domain (e.g. mini.example.com) |
DEV_SERVE_STATE_DIR | ~/.config/dev-serve | Where state JSON is stored |
CADDYFILE | ~/.config/caddy/Caddyfile | Path to your Caddyfile |
CADDY_ADMIN | http://localhost:2019 | Caddy admin API address |
DEV_CMD | (auto-detected) | Override the dev server command |
Port Convention
- Permanent services: 3100 range (managed in Caddyfile directly)
- Dev servers: 5200+ (managed by dev-serve, auto-assigned)
Vite allowedHosts
Vite blocks requests from unrecognized hostnames. dev-serve up automatically patches vite.config.ts (or .js/.mts/.mjs) to add the subdomain. If auto-patching fails, it prints the manual fix.
Architecture
Browser (Tailscale / LAN / etc.)
→ DNS: *.YOUR_DOMAIN → your server IP
→ Caddy (HTTPS with auto certs)
→ reverse_proxy localhost:
→ Dev server (in tmux session)
Companion Skills
- caddy — Required. Sets up the Caddy reverse proxy with wildcard TLS.
Troubleshooting
Dev server not starting:
tmux attach -t dev- # see what happened
Cert not provisioning (curl exit 35):
Wait 30-60s for DNS-01 challenge. Check tail -20 /var/log/caddy-error.log.
Caddy reload failed:
caddy reload --config ~/.config/caddy/Caddyfile --address localhost:2019
403 from Vite:
The subdomain wasn't added to allowedHosts. Add it manually to your vite.config.ts:
server: { allowedHosts: ['myapp.YOUR_DOMAIN'] }
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制