SimpleHttpSkill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: simplehttpskill Version: 0.1.0 The skill provides a robust HTTP client (`src/http-client.js`) capable of making arbitrary network requests (GET, POST, PUT, etc.) to any user-provided URL. While the implementation is clean, uses only built-in Node.js modules, and lacks direct evidence of malicious intent (e.g., no attempts to read sensitive files or environment variables, no obfuscation), the core capability of making unconstrained network requests is inherently high-risk. This could be leveraged for Server-Side Request Forgery (SSRF) or data exfiltration if the AI agent is prompted to target internal network resources or send sensitive data it has access to, classifying it as suspicious due to its powerful, potentially exploitable capabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent is allowed to use this broadly, it could call real APIs, send webhooks, or perform create/update/delete actions when given appropriate URLs and headers.
The skill intentionally exposes a generic HTTP request primitive, including methods that can mutate remote systems and headers that can authorize requests.
Supports all standard methods, arbitrary headers, automatic retries with exponential backoff
Use explicit user confirmation or domain/method restrictions for mutating requests, especially POST, PUT, PATCH, and DELETE.
A token supplied to this client may permit account or workspace changes at the target service and will be sent to the requested URL.
The documentation shows that users may supply authorization tokens through headers; this is expected for API calls but gives the request the token's account privileges.
defaultHeaders: { Authorization: "Bearer <token>" }Only use scoped tokens, verify the destination URL before sending credentials, and avoid reusing high-privilege tokens for unrelated requests.