ClawHub

HTTP Header Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward HTTP security header checker, but its TLS results should be treated cautiously because it disables certificate verification.

Install only if you are comfortable with a local Python script making network requests to the URLs you provide. Treat TLS-related output as potentially unreliable until certificate verification is enabled by default or an explicit insecure mode is added.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes a Python script that performs outbound HTTP/TLS analysis and depends on curl, which clearly gives it network capability; it also executes commands from the skill environment, indicating shell/code execution capability. Because these capabilities are not declared in permissions, users and policy systems may underestimate what the skill can do, reducing transparency and weakening sandboxing or approval controls.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script disables TLS certificate validation both when fetching headers and when performing TLS inspection, which allows a man-in-the-middle to present any certificate and have the scan succeed. In a security-analysis tool, this is especially misleading because it can cause users to trust results gathered from an intercepted or spoofed endpoint without any warning.

Unsafe Defaults

Medium
Category
Tool Misuse
Content
def fetch_headers(url, timeout=10, follow=True, user_agent=None):
    headers = {"User-Agent": user_agent or "Mozilla/5.0 Security Header Analyzer"}
    if HAS_REQUESTS:
        resp = requests.get(url, timeout=timeout, allow_redirects=follow, headers=headers, verify=False)
        return dict(resp.headers), resp.status_code
    else:
        import urllib.request
Confidence
99% confidence
Finding
verify=False

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal