ClawHub

HTTP Request Builder

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate HTTP testing tool, but it can store tokens, headers, and request bodies in plaintext local files without strong warning or redaction.

Review before installing. Avoid using production credentials, bearer tokens, cookies, or private payloads with saved templates, and clear ~/.http-request-builder/history.json after sensitive requests. Treat saved templates as secret-bearing files and do not share or commit them unless you have checked their contents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly states that request history is logged and templates are stored as simple JSON files without encryption, but it does not clearly warn users that these artifacts may contain sensitive headers, bodies, passwords, or bearer tokens. In the context of an HTTP request builder, this is more dangerous because the documented use cases include authentication secrets, making accidental credential persistence and local disclosure a realistic risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly says templates are stored as simple JSON files without encryption, and examples show Authorization headers, bearer tokens, and passwords being used and saved. Without a prominent warning, users may unknowingly persist secrets such as tokens, credentials, cookies, or API keys to disk in plaintext, where they may be exposed through local compromise, backups, or accidental sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Request history persists outbound request metadata, and request_data may include headers and bodies that contain API keys, bearer tokens, cookies, PII, or other secrets. Because this is written to a predictable file under the user's home directory without clear consent, redaction, or permission hardening, sensitive data may be exposed to other local users, backups, or malware.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
GET template saving writes authentication-related fields such as bearer tokens and usernames to disk, enabling credential disclosure if the local filesystem is accessed by another process or user. Since templates are designed for replay, this also increases the chance of accidental reuse or transmission of stale secrets.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
POST template saving can write bearer tokens and full request bodies to disk, which may include passwords, API keys, session identifiers, PII, or business-sensitive payloads. Plaintext persistence of both credentials and body content materially raises the risk of local secret leakage and unintended disclosure through backups, source control, or shared systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Template execution automatically loads stored credentials or tokens from disk and transmits them over the network, which can surprise users and lead to accidental secret use against unintended endpoints. This is especially risky because the template file may be modified offline, causing the tool to send sensitive auth data to an attacker-controlled URL.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The generated handlers for PUT, PATCH, DELETE, and related methods repeat the same unsafe persistence pattern by saving tokens and request bodies to disk. Because these methods often carry state-changing payloads, the stored data may be highly sensitive and the replay risk is broader than for simple GET requests.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal