ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SimpleHttpSkill

v0.1.0

Make HTTP requests (GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS) with custom headers, automatic retries, and graceful error handling. Use when the user need...

0· 502·0 current·0 all-time
byStephen Standridge@stephen-standridge
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the code and SKILL.md: a generic HTTP client with retries and backoff. There are no unrelated environment variables, binaries, or configuration paths requested.
Instruction Scope
The SKILL.md instructs the agent to import and use the included src/http-client.js and documents inputs/outputs and behavior. It does not direct the agent to read unrelated files, environment variables, or send data to endpoints other than those provided by the caller.
Install Mechanism
No install spec is provided (instruction-only deployment) and the included code is a small local JS file. Nothing is downloaded from external URLs or written to system locations during install.
Credentials
The skill requests no environment variables or credentials, which is appropriate. Note: callers can supply arbitrary headers (e.g., Authorization) so the skill can transmit sensitive tokens if you provide them — the skill itself does not request or store secrets.
Persistence & Privilege
always is false and the skill does not request persistent system-level privileges or modify other skills. It is user-invocable and may be invoked autonomously by the agent (platform default).
Assessment
This skill appears to do exactly what it says: make HTTP requests using built-in Node modules with retries and graceful errors. Before installing, consider that the skill can send arbitrary requests to any URL you provide (including any headers you pass), so do not supply sensitive tokens or credentials unless you trust the agent and target endpoint. If you want to limit risk, run the skill in a restricted environment or network sandbox, and avoid embedding secrets in defaultHeaders; prefer passing credentials explicitly per-call and validate target URLs to avoid SSRF or unintended exfiltration.

Like a lobster shell, security has layers — review code before you run it.

latestvk979nwcyg5zyhhy2215xws2xm581x2t0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments