ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HTTP Request Builder

v1.0.0

Build, test, and save HTTP requests from the CLI with custom headers, auth, body, cookies, templates, interactive mode, and request history tracking.

0· 318·3 current·3 all-time
byDerick@derick001
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, README, and included Python script all align: a CLI tool to build, send, save, and replay HTTP requests. There are no unexpected binaries, env vars, or config paths required beyond storing data in the user's home directory.
Instruction Scope
Runtime instructions and the code operate within the described scope (sending HTTP requests, interactive and CLI modes, saving templates/history). However, the tool explicitly saves templates and history as JSON files in ~/.http-request-builder/ and may persist authentication tokens and usernames/passwords in plaintext; the SKILL.md documents this limitation but it is a privacy/security consideration the user should weigh.
Install Mechanism
Instruction-only with a bundled script; no install spec or remote downloads. The only runtime dependency is the widely-used 'requests' Python package, which the code checks for. No high-risk install behavior is present.
Credentials
The skill requests no environment variables or credentials and the code does not read hidden system credentials. However, it writes and reads templates/history that may include sensitive data (bearer tokens, basic auth username/password) in plaintext JSON files. The SKILL.md mentions templates are not encrypted; users should treat stored templates/history as sensitive.
Persistence & Privilege
The skill does not request 'always' presence, does not modify other skills or global agent settings, and only creates a config directory under the user's home (~/.http-request-builder). This is appropriate for a CLI tool that stores user data locally.
Assessment
This tool appears to do what it says: build, send, and save HTTP requests locally. Before installing/using it, be aware that templates and request history are saved as plaintext JSON under ~/.http-request-builder/ and can include bearer tokens and basic-auth credentials. Do not save secrets you would not want stored on disk; restrict filesystem access to that folder (correct file permissions), remove sensitive fields before saving templates, or delete templates/history when finished. Confirm the script's source (source/homepage unknown) before trusting it with sensitive requests, and consider running it in a sandboxed environment if you need to send credentials to untrusted endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk97exy8gtparedpahn80sh4fv1826nv4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments