SimpleHttpSkill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent is allowed to use this broadly, it could call real APIs, send webhooks, or perform create/update/delete actions when given appropriate URLs and headers.
The skill intentionally exposes a generic HTTP request primitive, including methods that can mutate remote systems and headers that can authorize requests.
Supports all standard methods, arbitrary headers, automatic retries with exponential backoff
Use explicit user confirmation or domain/method restrictions for mutating requests, especially POST, PUT, PATCH, and DELETE.
A token supplied to this client may permit account or workspace changes at the target service and will be sent to the requested URL.
The documentation shows that users may supply authorization tokens through headers; this is expected for API calls but gives the request the token's account privileges.
defaultHeaders: { Authorization: "Bearer <token>" }Only use scoped tokens, verify the destination URL before sending credentials, and avoid reusing high-privilege tokens for unrelated requests.