ClawHub
Back to skill
v1.0.0

Jrv Http Client

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 7:36 AM.

Analysis

This is a coherent curl-like HTTP client, but it gives an agent broad authenticated API access, including mutating requests, and can expose API-key headers in verbose output.

GuidanceInstall only if you are comfortable giving the agent a general-purpose HTTP client. Keep requests user-directed, confirm any authenticated or non-GET operation, avoid verbose output with API keys or secret headers, and review any request-history behavior before using private endpoints.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`GET/POST/PUT/DELETE/PATCH/HEAD` | HTTP method ... `--bearer <token>` ... `--auth <user:pass>` ... `--api-key <Header:value>`

The documented interface allows an agent to send arbitrary authenticated requests, including mutating or destructive methods, to any URL.

User impactIf the agent uses this tool with real credentials, a mistaken or overbroad request could modify or delete data in external services.
RecommendationUse this only when you want a general-purpose HTTP client, and require explicit user approval for non-GET, authenticated, production, or destructive requests.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusConcern
scripts/http_client.py
req_headers[hname.strip()] = hval.strip() ... masked = v if "Authorization" not in k else v[:20] + "..."

API keys supplied through custom headers are stored in request headers, but verbose output masks only headers named Authorization, so headers such as X-API-Key can be printed in cleartext.

User impactAPI keys or other secret custom headers could appear in terminal output, agent transcripts, or logs when verbose mode is used.
RecommendationAvoid `--verbose` with secret headers, or update the tool to mask common secret header names such as X-API-Key, API-Key, Cookie, and Set-Cookie.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceMediumStatusNote
SKILL.md
Supports ... timing, and request history ...

The description advertises request history, but the documentation does not describe what is stored, where it is stored, or how sensitive URLs or request details are excluded.

User impactRequest history could preserve sensitive endpoints or request details if implemented and enabled.
RecommendationCheck any history/logging behavior before using secrets or private endpoints, and clear or disable history where possible.