ClawHub

CORS

v1.0.0

Configure Cross-Origin Resource Sharing correctly to avoid security issues and debugging pain.

2· 786·1 current·1 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the SKILL.md content: detailed CORS configuration guidance. There are no unrelated requirements (no env vars, binaries, or installs) that would be inappropriate for a documentation-style skill.
Instruction Scope
SKILL.md is purely prescriptive guidance (headers to set, pitfalls to avoid). It does not instruct the agent to run commands, read files, access unrelated environment variables, or transmit data to external endpoints—no scope creep detected.
Install Mechanism
No install spec and no code files. Because this is instruction-only, nothing will be written to disk or pulled from remote URLs during install.
Credentials
The skill requests no credentials or environment configuration. There are no unexplained secrets or access requests relative to the skill's stated purpose.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent presence or modify other skills or system-wide settings. Normal autonomous invocation is allowed but not problematic here given the skill's benign, read-only nature.
Assessment
This skill is a documentation-only helper — it won't install software or access secrets. It's low-risk and coherent with its purpose. Before applying the guidance to production, review and implement the recommendations in your server code (validate Origin against an allowlist instead of reflecting it, add Vary: Origin, include CORS headers on OPTIONS and error responses, and explicitly list headers for compatibility). Test preflight caching and credentialed requests across target browsers and ensure proxies/CDNs don't strip headers. Remember: CORS controls whether a browser can read responses — it does not prevent the server from processing requests, so continue to use proper authentication and CSRF protections for sensitive endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk9759287fq965qg8e1s9hhmae580xz1v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔀 Clawdis
OSLinux · macOS · Windows

Comments