SimpleHttpSkill
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward HTTP client with no hidden persistence or credential access, but users should be careful because it can make arbitrary API calls if given URLs and headers.
This skill appears safe for its stated purpose. Before installing or using it, be sure you trust the agent to make network requests, confirm target URLs and methods for actions that change data, and use limited-scope credentials when passing Authorization headers.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent is allowed to use this broadly, it could call real APIs, send webhooks, or perform create/update/delete actions when given appropriate URLs and headers.
The skill intentionally exposes a generic HTTP request primitive, including methods that can mutate remote systems and headers that can authorize requests.
Supports all standard methods, arbitrary headers, automatic retries with exponential backoff
Use explicit user confirmation or domain/method restrictions for mutating requests, especially POST, PUT, PATCH, and DELETE.
A token supplied to this client may permit account or workspace changes at the target service and will be sent to the requested URL.
The documentation shows that users may supply authorization tokens through headers; this is expected for API calls but gives the request the token's account privileges.
defaultHeaders: { Authorization: "Bearer <token>" }Only use scoped tokens, verify the destination URL before sending credentials, and avoid reusing high-privilege tokens for unrelated requests.