首页龙虾技能列表 › WebChat HTTPS Proxy — 技能工具

WebChat HTTPS Proxy — 技能工具

v0.1.1

[自动翻译] HTTPS/WSS reverse proxy for OpenClaw WebChat Control UI. Serves the Control UI over HTTPS with TLS cert management, proxies WebSocket connections to t...

0· 354·4 当前·4 累计
by @neldar·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/20
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
medium confidence
The files and runtime instructions are coherent with a user-level HTTPS/WSS reverse-proxy for the WebChat Control UI; the package modifies user config and installs a systemd user service but otherwise stays within its stated scope.
评估建议
This skill appears to do what it claims, but review before installing: 1) Back up ~/.openclaw/openclaw.json — deploy.sh will modify allowedOrigins and the proxy will read the gateway token from that file. 2) If you expose the service to your LAN (setting VOICE_HOST/VOICE_BIND_HOST or using a non-local bind), ensure a gateway token is configured — otherwise /transcribe may be accessible from the network. 3) Note small naming mismatch: the service unit uses VOICE_BIND_HOST but SKILL.md documents V...
详细分析 ▾
用途与能力
Name/description match what the files do: they copy a Python proxy into the user's workspace, update gateway.allowedOrigins in ~/.openclaw/openclaw.json, and install a user systemd service to serve HTTPS/WSS and proxy /transcribe to a local transcription service.
指令范围
SKILL.md and scripts explicitly modify ~/.openclaw/openclaw.json, write a user systemd unit, and copy the runtime python to ~/.openclaw/workspace/voice-input. The proxy reads the gateway token from that config for optional auth. All file and network accesses are declared in SKILL.md, but note the auth behavior: when no gateway token is present the proxy permits requests (safe for localhost by default), so exposing to a LAN without a gateway token would allow unauthenticated /transcribe access.
安装机制
No external downloads or opaque installers. It's an instruction-only skill with included scripts and a Python file. Deploy copies local files into user workspace and relies on an existing Python + aiohttp; no arbitrary remote code is fetched or executed during install.
凭证需求
Requested env/config access is appropriate for a local proxy (port, bind host, allowed origin, workspace paths, and the openclaw config for gateway token). Minor inconsistencies exist between documented env names and actual usage: SKILL.md documents VOICE_HOST/VOICE_ALLOWED_ORIGIN/VOICE_HTTPS_PORT and config_paths, but the runtime python reads VOICE_BIND_HOST and WORKSPACE; deploy.sh maps VOICE_HOST → VOICE_BIND_HOST when creating the systemd unit. Registry metadata at the top also shows garbled required-env entries ("[object Object]").
持久化与权限
The skill creates a user-level systemd service (~/.config/systemd/user) and enables it for the user; no root/sudo operations. always:true is not set. Uninstall script attempts to revert created artifacts.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv0.1.12026/3/6

MIT license added; same-origin transcribe auth hardening; preserve configured voice host on redeploy.

● 无害

安装命令 点击复制

官方npx clawhub@latest install webchat-https-proxy
镜像加速npx clawhub@latest install webchat-https-proxy --registry https://cn.clawhub-mirror.com

技能文档

Standalone HTTPS/WSS reverse proxy for OpenClaw WebChat Control UI:

  • Serves the Control UI over HTTPS (default port 8443)
  • WebSocket passthrough to gateway (ws://127.0.0.1:18789)
  • /transcribe proxy endpoint to local faster-whisper service (same-origin browser auth; optional Bearer fallback)
  • Self-signed TLS certificate management
  • SPA fallback for Control UI routing
  • Path traversal protection for static file serving

Deploy

bash scripts/deploy.sh

Or expose on LAN: 

VOICE_HOST=10.0.0.42 VOICE_HTTPS_PORT=8443 bash scripts/deploy.sh

This script is idempotent.

Quick verify

bash scripts/status.sh

Security Notes

Network isolation

  • Localhost by default: Binds to 127.0.0.1 only. Not reachable from other devices unless VOICE_HOST is explicitly set.
  • LAN access opt-in: Setting VOICE_HOST= enables trusted LAN access. Re-deploys preserve the existing configured bind host unless you explicitly override VOICE_HOST.
  • CORS: Single allowed origin only (VOICE_ALLOWED_ORIGIN). Validated at startup — wildcards (*) and malformed origins are rejected.

TLS

  • TLS 1.2+ enforced: Minimum protocol version set to TLS 1.2. Legacy SSL/TLS 1.0/1.1 rejected.
  • Self-signed TLS: Auto-generated certificate. Browser certificate warning on first access.
  • Private key permissions: chmod 600 on TLS key file.

Authentication

  • Bearer token auth: /transcribe endpoint validates Bearer token against gateway auth token using constant-time comparison (hmac.compare_digest).
  • When no gateway token is configured, auth is skipped (safe for localhost-only).

Input validation

  • Upload size limit: 50 MB hard limit on /transcribe proxy requests (HTTP 413).
  • Empty body rejection: HTTP 400 for empty requests.
  • Response size limit: 10 MB cap on upstream response to prevent memory exhaustion.
  • Path traversal protection: Static file serving resolves symlinks (os.path.realpath) and validates the resolved path stays within the Control UI directory.

Error handling

  • No exception leaking: Error responses return generic messages, not internal exception details.
  • Upstream timeout: 120s timeout on transcription backend requests.

SSRF protection

  • Upstream URLs (VOICE_TRANSCRIBE_URL, VOICE_GATEWAY_WS) are validated to point to localhost only. Non-localhost targets are rejected at startup.

No data exfiltration

  • No outbound network calls. Proxy only connects to localhost services.
  • No telemetry, analytics, or phone-home behavior.

Persistence

  • User systemd service starts on boot. Use uninstall.sh to fully revert.

What this skill modifies

WhatPathAction
Gateway config~/.openclaw/openclaw.jsonAdds HTTPS origin to gateway.controlUi.allowedOrigins
Systemd service~/.config/systemd/user/openclaw-voice-https.serviceCreates + enables persistent HTTPS proxy
Runtime file~/.openclaw/workspace/voice-input/https-server.pyCopies proxy server
TLS certs~/.openclaw/workspace/voice-input/certs/Auto-generated self-signed cert on first run

Uninstall

bash scripts/uninstall.sh

Common fixes

  • 404 /chat?... → SPA fallback missing in HTTPS proxy.
  • origin not allowed → ensure deploy used correct VOICE_HOST and added matching HTTPS origin to gateway.controlUi.allowedOrigins.
  • token missing → open URL with ?token=... once.
  • pairing required → approve pending device via openclaw devices approve --token .

ces approve --token `.

数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务