httplint

v1.0.1

HTTP client & server misconfiguration detector -- detects insecure connections, missing timeouts, cookie security issues, caching misconfigurations, and requ...

⭐ 0· 97·0 current·0 all-time

by@suhteevah

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suhteevah/httplint.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "httplint" (suhteevah/httplint) from ClawHub.
Skill page: https://clawhub.ai/suhteevah/httplint
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, bash, python3, jq
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install httplint

ClawHub CLI

Package manager switcher

npx clawhub@latest install httplint

Security Scan

Capability signals

Requires sensitive credentials

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The skill is an on‑host HTTP misconfiguration scanner and the code files implement file discovery, regex-based pattern scanning, report generation, and license checks. Required binaries (git, bash, python3, jq) are used by the scripts. The brew install of lefthook is appropriate for the advertised git hook integration. One small metadata mismatch: registry metadata lists 'Required env vars: none' while a primary credential HTTPLINT_LICENSE_KEY is declared — that credential is optional for free scans but required for Pro/Team features.

ℹ

Instruction Scope

Runtime instructions point the agent to run dispatcher.sh/dispatcher via the scripts. The scripts only operate on local files (with sensible .gitignore and directory exclusions) and produce local reports. The license module reads ~/.openclaw/openclaw.json as a fallback to obtain a license key (this path is also declared in SKILL.md metadata). Pre-commit/pre-push lefthook entries source the skill scripts and will run scans on staged files and on push if hooks are installed — that is expected for a hook-integrated linter, but it means the skill's code may be executed automatically during git operations if you install hooks.

✓

Install Mechanism

The only install action declared is to install the well-known lefthook formula via brew. Using a community package manager formula (brew) for a known tool is low risk. The skill does not include any arbitrary remote downloads or extract steps.

ℹ

Credentials

The primary credential is HTTPLINT_LICENSE_KEY which the code uses to unlock pro/team patterns — this is proportionate. The license module also optionally references CLAWHUB_JWT_SECRET (for signature verification) which is not declared in the skill metadata and whose name differs from the rest of the project (possible leftover/typo). License retrieval falls back to reading ~/.openclaw/openclaw.json; this is reasonable for convenience but it does mean the skill will read that config file to extract stored keys.

ℹ

Persistence & Privilege

The skill does not request always:true and does not modify other skills. It can install lefthook hooks into a repository (writes/updates lefthook.yml and runs lefthook install) which is expected for a git-hook linter but is a repository-level change you should consent to. Hooks will execute the skill's scripts during commit/push if installed.

Assessment

This skill is internally consistent for an on‑host HTTP configuration linter, but check the following before installing: (1) The license key HTTPLINT_LICENSE_KEY unlocks Pro/Team behavior — only set it if you trust the publisher. The tool will also try to read ~/.openclaw/openclaw.json to find a saved key. (2) License code references an undocumented CLAWHUB_JWT_SECRET environment variable (likely for optional signature verification) — if you set such a secret, be aware it is only used locally for validating tokens; the skill does not transmit data. (3) Installing the optional lefthook hooks will write/modify lefthook.yml in your repository and cause the scanner to run on commit/push; review the hook contents and the scripts themselves before running lefthook install. (4) If you want maximal safety, run the scanner manually (bash scripts/dispatcher.sh scan .) in a contained repo first, inspect patterns.sh/analyzer.sh for rules you care about, and avoid installing hooks until comfortable. If anything looks unexpected, do not supply a license key or install the hooks until you investigate further.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🌐 Clawdis

OSmacOS · Linux · Windows

Binsgit, bash, python3, jq

Primary envHTTPLINT_LICENSE_KEY

Install

Install lefthook (git hooks manager)

Bins: lefthook

brew install lefthook

latestvk9789r0n4tcxbf6az9nen70pwn84vzbd

97downloads

0stars

2versions

Updated 1w ago

v1.0.1

MIT-0

macOS, Linux, Windows

HTTPLint -- HTTP Client & Server Misconfiguration Detector

HTTPLint scans codebases for HTTP client/server misconfigurations, insecure connections, missing timeouts, cookie security issues, caching misconfigurations, header problems, and request handling vulnerabilities. It uses regex-based pattern matching against 90 HTTP-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.

Commands

Free Tier (No license required)

`httplint scan [file|directory]`

One-shot HTTP configuration scan of files or directories.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does:

Accepts a file path or directory (defaults to current directory)
Discovers all source files (skips .git, node_modules, binaries, images, .min.js)
Runs 30 HTTP configuration patterns against each file (free tier limit)
Calculates an HTTP configuration quality score (0-100) per file and overall
Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (<60)
Outputs findings with: file, line number, check ID, severity, description, recommendation
Exit code 0 if score >= 70, exit code 1 if HTTP configuration quality is poor
Free tier limited to first 30 patterns (HC + HS categories)

Example usage scenarios:

"Scan my code for HTTP issues" -> runs httplint scan .
"Check this file for HTTP misconfigurations" -> runs httplint scan src/server.ts
"Find insecure HTTP connections" -> runs httplint scan src/
"Audit HTTP configuration quality in my project" -> runs httplint scan .
"Check for cookie security issues" -> runs httplint scan .

Pro Tier ($19/user/month -- requires HTTPLINT_LICENSE_KEY)

`httplint scan --tier pro [file|directory]`

Extended scan with 60 patterns covering HTTP client, server, cookie security, and caching headers.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro

What it does:

Validates Pro+ license
Runs 60 HTTP patterns (HC, HS, CK, CH categories)
Detects cookie security issues (missing Secure flag, SameSite, session fixation)
Identifies caching and header misconfigurations
Full category breakdown reporting

`httplint scan --format json [directory]`

Generate JSON output for CI/CD integration.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json

`httplint scan --format html [directory]`

Generate HTML report for browser viewing.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html

`httplint scan --category CK [directory]`

Filter scan to a specific check category (HC, HS, CK, CH, RH, ER).

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category CK

Team Tier ($39/user/month -- requires HTTPLINT_LICENSE_KEY with team tier)

`httplint scan --tier team [directory]`

Full scan with all 90 patterns across all 6 categories including request handling and error response.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team

What it does:

Validates Team+ license
Runs all 90 patterns across 6 categories
Includes request handling checks (input validation, content-length, redirects, smuggling)
Includes error and response checks (stack traces, status codes, error handling, response format)
Full category breakdown with per-file results

`httplint scan --verbose [directory]`

Verbose output showing every matched line and pattern details.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose

`httplint status`

Show license and configuration information.

bash "<SKILL_DIR>/scripts/dispatcher.sh" status

Check Categories

HTTPLint detects 90 HTTP misconfiguration patterns across 6 categories:

Category	Code	Patterns	Description	Severity Range
HTTP Client	HC	15	Missing timeouts, no retries, insecure connections, hardcoded URLs, missing User-Agent	medium -- critical
HTTP Server	HS	15	Missing CORS configuration, no rate limiting, improper status codes, missing middleware	medium -- critical
Cookie & Session	CK	15	Missing Secure flag, no SameSite attribute, session fixation, insecure token storage	high -- critical
Caching & Headers	CH	15	Missing cache control, no ETags, missing security headers, improper content type	medium -- high
Request Handling	RH	15	Missing input validation, content-length issues, open redirects, request smuggling	high -- critical
Error & Response	ER	15	Stack trace exposure, improper status codes, missing error handling, response format issues	medium -- high

Tier-Based Pattern Access

Tier	Patterns	Categories
Free	30	HC, HS
Pro	60	HC, HS, CK, CH
Team	90	HC, HS, CK, CH, RH, ER
Enterprise	90	HC, HS, CK, CH, RH, ER + priority support

Scoring

HTTPLint uses a deductive scoring system starting at 100 (perfect):

Severity	Point Deduction	Description
Critical	-25 per finding	Severe security issue (insecure connections, missing authentication)
High	-15 per finding	Significant quality problem (missing timeouts, no CORS)
Medium	-8 per finding	Moderate concern (missing headers, caching issues)
Low	-3 per finding	Informational / best practice suggestion

Grading Scale

Grade	Score Range	Meaning
A	90-100	Excellent HTTP configuration quality
B	80-89	Good configuration with minor issues
C	70-79	Acceptable but needs improvement
D	60-69	Poor HTTP configuration quality
F	Below 60	Critical HTTP configuration problems

Pass threshold: 70 (Grade C or better)
Exit code 0 = pass (score >= 70)
Exit code 1 = fail (score < 70)

Configuration

Users can configure HTTPLint in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "httplint": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],
          "ignoreChecks": [],
          "reportFormat": "text"
        }
      }
    }
  }
}

Important Notes

Free tier works immediately with no configuration
All scanning happens locally -- no code is sent to external servers
License validation is offline -- no phone-home or network calls
Pattern matching only -- no AST parsing, no external dependencies beyond bash
Supports scanning all file types in a single pass
Git hooks use lefthook which must be installed (see install metadata above)
Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)
Output formats: text (default), json, html

Error Handling

If lefthook is not installed and user tries hooks, prompt to install it
If license key is invalid or expired, show clear message with link to https://httplint.pages.dev/renew
If a file is binary, skip it automatically with no warning
If no scannable files found in target, report clean scan with info message
If an invalid category is specified with --category, show available categories

When to Use HTTPLint

The user might say things like:

"Scan my code for HTTP issues"
"Check my HTTP configuration"
"Find insecure HTTP connections"
"Detect missing timeouts in my HTTP clients"
"Are there any hardcoded URLs in my code?"
"Check for missing CORS configuration"
"Audit my cookie security"
"Find missing security headers"
"Check for request smuggling vulnerabilities"
"Scan for HTTP anti-patterns"
"Run an HTTP configuration audit"
"Generate an HTTP quality report"
"Check if cookies have the Secure flag"
"Find missing rate limiting in my API"
"Check my code for HTTP security issues"

Comments

Loading comments...