Back to skill
Skillv1.0.0
ClawScan security
HTTP Request Builder · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 3, 2026, 2:01 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its stated purpose (a local CLI HTTP request builder) and does not request unrelated credentials or network access beyond the user-specified request targets — but it stores templates and history in plaintext which can contain secrets.
- Guidance
- This tool appears to do what it says: build, send, and save HTTP requests locally. Before installing/using it, be aware that templates and request history are saved as plaintext JSON under ~/.http-request-builder/ and can include bearer tokens and basic-auth credentials. Do not save secrets you would not want stored on disk; restrict filesystem access to that folder (correct file permissions), remove sensitive fields before saving templates, or delete templates/history when finished. Confirm the script's source (source/homepage unknown) before trusting it with sensitive requests, and consider running it in a sandboxed environment if you need to send credentials to untrusted endpoints.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md, README, and included Python script all align: a CLI tool to build, send, save, and replay HTTP requests. There are no unexpected binaries, env vars, or config paths required beyond storing data in the user's home directory.
- Instruction Scope
- noteRuntime instructions and the code operate within the described scope (sending HTTP requests, interactive and CLI modes, saving templates/history). However, the tool explicitly saves templates and history as JSON files in ~/.http-request-builder/ and may persist authentication tokens and usernames/passwords in plaintext; the SKILL.md documents this limitation but it is a privacy/security consideration the user should weigh.
- Install Mechanism
- okInstruction-only with a bundled script; no install spec or remote downloads. The only runtime dependency is the widely-used 'requests' Python package, which the code checks for. No high-risk install behavior is present.
- Credentials
- noteThe skill requests no environment variables or credentials and the code does not read hidden system credentials. However, it writes and reads templates/history that may include sensitive data (bearer tokens, basic auth username/password) in plaintext JSON files. The SKILL.md mentions templates are not encrypted; users should treat stored templates/history as sensitive.
- Persistence & Privilege
- okThe skill does not request 'always' presence, does not modify other skills or global agent settings, and only creates a config directory under the user's home (~/.http-request-builder). This is appropriate for a CLI tool that stores user data locally.