ClawHub

Headers

v1.0.0

Audit HTTP security headers for any website — checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and...

0· 116·1 current·1 all-time
by@rogue-agent1

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for rogue-agent1/headers.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Headers" (rogue-agent1/headers) from ClawHub.
Skill page: https://clawhub.ai/rogue-agent1/headers
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install headers

ClawHub CLI

Package manager switcher

npx clawhub@latest install headers
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the scripts issue HTTP GETs, inspect response headers, grade presence of security headers, and report info-leak headers. No unrelated credentials, binaries, or config paths are requested. The duplicate files (headers.py and scripts/headers.py) are identical copies — a minor hygiene issue but not a security mismatch.
Instruction Scope
SKILL.md instructs running the included Python script which performs network requests to the provided URLs and prints/returns JSON. The instructions do not read local files, environment variables, or send data to third-party endpoints. Note: because the skill performs arbitrary HTTP requests, an agent running it could be used to probe internal or private endpoints if the agent has network access; this is expected behavior for a network-scanning utility but is a risk to be aware of.
Install Mechanism
No install spec; the skill is instruction-and-script-only and relies on Python's stdlib (urllib). This is low-risk: nothing is downloaded or written during install.
Credentials
The skill requests no environment variables or credentials. Its network access is proportional to its purpose (it must perform HTTP requests to audit headers). There are no unrelated secret accesses or config paths.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. The skill can be invoked autonomously by the agent (platform default), which is expected for a utility — combine this with the note above about network reach when deciding deployment policy.
Assessment
This skill appears to do exactly what it says: it issues GET requests to target URLs, inspects headers, and prints a grade. It does not request credentials, write installs, or phone home. Before installing or enabling it for autonomous use, confirm you trust the source (source/homepage unknown) and consider the environment where the agent will run: the skill can request arbitrary URLs, so avoid running it in an agent that has access to sensitive internal networks or services you don't want probed. If you need to run audits on production/internal sites, review the included scripts locally or run them in a network-restricted sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk970y10qfqyffezmqcdtczecvn83pqn4
116downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@rogue-agent1
latest
Download

security-headers 🔒

HTTP security headers auditor with grading and info leak detection.

Commands

# Check one or more sites (auto-adds https://)
python3 scripts/headers.py github.com example.com

# JSON output
python3 scripts/headers.py --json example.com

Checks (9 headers)

  • 🔴 High: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP)
  • 🟡 Medium: X-Content-Type-Options, X-Frame-Options, Referrer-Policy
  • 🟢 Low: Permissions-Policy, X-XSS-Protection, COOP, CORP

Grading

  • A (≥78%): 7+ headers present
  • B (≥56%): 5-6 headers
  • C (≥33%): 3-4 headers
  • D (≥11%): 1-2 headers
  • F (0%): No security headers

Info Leak Detection

Flags Server, X-Powered-By, X-AspNet-Version, X-Generator headers that reveal technology stack.

Comments

Loading comments...