ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

http-requests-1.0.0

v1.0.0

Send HTTP requests with Python requests instead of curl when quoting and escaping would be error-prone. Use for GET, POST, PUT, DELETE requests with headers,...

0· 27·0 current·0 all-time
byPumpkin@pumpkinttl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included script: the Python script implements GET/POST/PUT/DELETE, headers/params/json/data, timeouts, and writes light logs. Nothing in the code requires unrelated credentials or binaries.
!
Instruction Scope
SKILL.md promises to avoid logging sensitive values, but the script logs the original args.url (which can contain sensitive query parameters) and prints response bodies to stdout. A redact_headers helper exists but is not used for logging. These gaps mean secrets could be exposed despite the 'do not log' claim.
Install Mechanism
Instruction-only skill (no install spec) — low install risk. The script depends on the third-party 'requests' package but does not declare or install it; the runtime must already have requests available or the call will fail.
Credentials
The skill requests no environment variables or credentials. Example usage shows passing Authorization headers or form passwords as arguments, which is expected for an HTTP helper, but those can be exposed via URL/console if used carelessly.
Persistence & Privilege
No always:true flag and no system-wide persistence. The skill writes per-day logs under its own logs/ directory (normal for a local helper).
What to consider before installing
This skill is functionally coherent but not fully protective of secrets. Before installing or using it: (1) avoid putting sensitive tokens in URL query strings (the script logs args.url unredacted); (2) avoid passing secrets on the command line where other processes/command history can capture them; prefer sending tokens in headers and verify the headers are redacted in any logs; (3) be aware the script prints response bodies to stdout (which your agent or host may capture); (4) install or ensure the 'requests' Python package is available or add an explicit install step; (5) consider patching the script to redact query params from logged URLs (or to omit logging the URL entirely) and to actually use redact_headers when persisting any headers. If you cannot review or modify the code, run it in an isolated environment and do not use it with real credentials or sensitive endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk970mzemrkeq64tkd3a6tvs91d8497f5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments