ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

cors-scanner

v1.0.0

Scan web endpoints for CORS misconfigurations. Detect origin reflection, wildcard policies, null origin acceptance, credential leaks, subdomain trust, HTTP o...

0· 33·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description align with the included script: the code issues HTTP(S) requests with crafted Origin headers and inspects CORS response headers to detect reflection, wildcards, null origin, preflight issues, private-network access, etc. No unrelated credentials, binaries, or services are requested.
Instruction Scope
SKILL.md simply instructs running the included Python script against target URLs and describes expected outputs/formats. The instructions do not ask the agent to read local files, environment variables, or send results to external endpoints. Note: the script performs network requests to arbitrary targets (expected for a scanner).
Install Mechanism
No install spec is present and the tool uses only Python standard library (urllib, ssl, argparse). This is proportionate for a lightweight scanner. The package is delivered as source (scripts/cors_scan.py) so no external downloads during install.
Credentials
The skill declares no required environment variables, credentials, or config paths. The script does not appear to reference secrets. This is appropriate for a network-scanning utility.
Persistence & Privilege
always:false and no special privileges or modifications to other skills/systems are requested. The skill does not request permanent presence or elevated agent configuration.
Scan Findings in Context
[no_regex_findings] expected: Static pre-scan found no patterns of concern. For a pure network scanner this is expected; absence of findings does not guarantee there is no unexpected behavior in the portions of the file not shown.
Assessment
This skill is internally consistent with being a CORS misconfiguration scanner: it only needs to make HTTP(S) requests and inspect headers. Before running it, consider these practical points: (1) the included script disables TLS verification (ssl.CERT_NONE) and turns off hostname checks — this is common in scanning tools to avoid failing on self-signed certs but means the scanner will accept invalid certificates; (2) the scanner will send crafted Origin headers and may trigger server-side behavior—only scan endpoints you own or have permission to test to avoid legal issues; (3) I reviewed most of the script, but the provided source was truncated in the listing — inspect the full scripts/cors_scan.py locally to confirm there are no calls that log or transmit results to third-party services before executing; (4) run the tool in an isolated environment (or sandbox) if you want extra caution. If you can provide the complete scripts/cors_scan.py contents I can raise my confidence to high.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ef25x58gjhkmzxh575h4h3n84na1m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments