SSL Certificate Checker
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The SSL checker is mostly purpose-aligned, but its HTML report appears to place untrusted certificate/domain data into a web page without escaping it.
Install only if you are comfortable with a local Python tool that contacts specified domains and writes reports. Avoid generating/opening HTML reports for untrusted domains unless the report output is fixed to escape certificate and hostname fields.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill will contact the listed domains or hosts, potentially many at once.
The skill can connect to one or many user-provided hosts, including from a file and with configurable concurrency. This is central to certificate checking, but it is still externally observable network probing.
`python3 check_ssl.py --file domains.txt`; `python3 check_ssl.py --threads 20`; `Network access to target domains`
Use it only for domains you own or are authorized to test, and review domain files before scanning.
Opening a generated report for an attacker-controlled or untrusted domain could display manipulated content or run unwanted browser-side code.
The HTML report inserts certificate-derived fields and host data directly into HTML without visible escaping. A malicious or unusual certificate value could inject markup or script into the generated report when opened in a browser.
<td>{subject}</td> ... <td>{issuer}</td> ... <td>{', '.join(r['san'][:5])}</td>Escape all report fields with an HTML escaping function before writing them, or avoid opening reports generated from untrusted domains until this is fixed.