ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HTTP Header Analyzer

v1.0.0

Analyze HTTP security headers and TLS configuration. Find missing headers, weak ciphers, and misconfigurations in web applications.

0· 45·0 current·0 all-time
by@hostilespider
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the included script: the Python tool analyzes headers and TLS. However SKILL.md metadata declares a required binary 'curl' even though the shipped script uses the Python requests/urllib libraries and never calls curl. Requesting curl is unnecessary for the stated purpose and is an incoherence in requirements.
Instruction Scope
Runtime instructions are limited to running the bundled Python script against user-provided URLs or a user-provided file of URLs. The script only performs network requests to the specified targets and does not attempt to read unrelated system files or external control endpoints. It does accept a file path provided by the user and will read that file (expected behavior for batch scanning).
Install Mechanism
There is no install spec (instruction-only) and the included script runs from the skill directory. No remote downloads or archive extraction are performed by the skill itself. This is a low-risk installation model.
Credentials
The skill requests no environment variables, secrets, or config paths. The absence of credential requests is proportional to the described functionality.
Persistence & Privilege
The skill is not set to always:true and does not request persistent or elevated privileges. Autonomous invocation is allowed (platform default) but is not combined with other concerning signals.
What to consider before installing
This skill's code matches its description: it will perform HTTP(S) requests to any URL(s) you give it and report missing security headers and basic TLS info. Two things to consider before installing or running it: (1) SKILL.md declares 'curl' as a required binary even though the shipped Python script uses requests/urllib — this is likely a packaging or metadata error but worth noting. (2) The script intentionally disables TLS certificate verification when fetching headers and when checking TLS (verify=False / CERT_NONE) so it will accept invalid/expired certificates for scanning purposes; that is typically fine for enumerating headers but means it won't validate server identity. There are no hidden network endpoints or secret exfiltration code in the files provided. If you will scan external sites, ensure you have permission to do so and run scans from a network/location you control. If you want to be extra cautious, inspect the local script yourself or run it in an isolated environment before granting broader access.
scripts/analyze-headers.py:155
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cex3t063xad9te6cbqcm13n83t2jj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔒 Clawdis
Binscurl

Comments