ClawHub

Headers

v1.0.0

Audit HTTP security headers for any website — checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and...

0· 49·0 current·0 all-time
by@rogue-agent1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the scripts issue HTTP GETs, inspect response headers, grade presence of security headers, and report info-leak headers. No unrelated credentials, binaries, or config paths are requested. The duplicate files (headers.py and scripts/headers.py) are identical copies — a minor hygiene issue but not a security mismatch.
Instruction Scope
SKILL.md instructs running the included Python script which performs network requests to the provided URLs and prints/returns JSON. The instructions do not read local files, environment variables, or send data to third-party endpoints. Note: because the skill performs arbitrary HTTP requests, an agent running it could be used to probe internal or private endpoints if the agent has network access; this is expected behavior for a network-scanning utility but is a risk to be aware of.
Install Mechanism
No install spec; the skill is instruction-and-script-only and relies on Python's stdlib (urllib). This is low-risk: nothing is downloaded or written during install.
Credentials
The skill requests no environment variables or credentials. Its network access is proportional to its purpose (it must perform HTTP requests to audit headers). There are no unrelated secret accesses or config paths.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. The skill can be invoked autonomously by the agent (platform default), which is expected for a utility — combine this with the note above about network reach when deciding deployment policy.
Assessment
This skill appears to do exactly what it says: it issues GET requests to target URLs, inspects headers, and prints a grade. It does not request credentials, write installs, or phone home. Before installing or enabling it for autonomous use, confirm you trust the source (source/homepage unknown) and consider the environment where the agent will run: the skill can request arbitrary URLs, so avoid running it in an agent that has access to sensitive internal networks or services you don't want probed. If you need to run audits on production/internal sites, review the included scripts locally or run them in a network-restricted sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk970y10qfqyffezmqcdtczecvn83pqn4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments