ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

http-security-headers

v1.0.0

Analyze HTTP security headers for any URL. Check for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS, and more....

0· 46·0 current·0 all-time
by@charlie-morrison
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included script and documentation. The Python scanner implements the listed header checks, grading, output formats, CI exit codes, and fix snippets. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
SKILL.md tells the agent to run the included script against user-provided URL(s). The script makes outbound HTTP(S) requests to arbitrary URLs (HEAD requests by default). This is expected for a scanner, but it means the skill can probe external or internal network endpoints when invoked—so the runtime network capability is the primary risk to manage.
Install Mechanism
No install spec; the skill is instruction+script-only and claims to use only the Python standard library, which the script appears to do. Nothing is downloaded from external URLs during install.
Credentials
The skill requests no environment variables, credentials, or config paths. There are no extraneous secret requirements that don't match the stated purpose.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is allowed (normal default). Autonomous invocation combined with the ability to make arbitrary network requests is a privacy/operational consideration (it could be used to scan internal hosts) but is not itself an incoherence with the declared purpose.
Assessment
This skill appears to do what it says: run a Python script to analyze HTTP response headers. Before installing or enabling it broadly, consider: (1) the script will make network requests to any URL you or the agent provide — that can probe internal/private hosts if the agent has network access; (2) autonomous invocation is allowed by default, so restrict agent network permissions or limit the skill to user-invocation if you want to avoid unintended scans; (3) if you have concerns, review the included scripts/scan_headers.py (it is pure Python stdlib) or run it locally on a safe host list. Also be mindful of legal/privacy rules before scanning third-party systems.
scripts/scan_headers.py:297
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b80hh02b4vnhp4h55za2f6184mk05

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments