ClawHub

httplint

v1.0.1

HTTP client & server misconfiguration detector -- detects insecure connections, missing timeouts, cookie security issues, caching misconfigurations, and requ...

0· 44·0 current·0 all-time
by@suhteevah
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is an on‑host HTTP misconfiguration scanner and the code files implement file discovery, regex-based pattern scanning, report generation, and license checks. Required binaries (git, bash, python3, jq) are used by the scripts. The brew install of lefthook is appropriate for the advertised git hook integration. One small metadata mismatch: registry metadata lists 'Required env vars: none' while a primary credential HTTPLINT_LICENSE_KEY is declared — that credential is optional for free scans but required for Pro/Team features.
Instruction Scope
Runtime instructions point the agent to run dispatcher.sh/dispatcher via the scripts. The scripts only operate on local files (with sensible .gitignore and directory exclusions) and produce local reports. The license module reads ~/.openclaw/openclaw.json as a fallback to obtain a license key (this path is also declared in SKILL.md metadata). Pre-commit/pre-push lefthook entries source the skill scripts and will run scans on staged files and on push if hooks are installed — that is expected for a hook-integrated linter, but it means the skill's code may be executed automatically during git operations if you install hooks.
Install Mechanism
The only install action declared is to install the well-known lefthook formula via brew. Using a community package manager formula (brew) for a known tool is low risk. The skill does not include any arbitrary remote downloads or extract steps.
Credentials
The primary credential is HTTPLINT_LICENSE_KEY which the code uses to unlock pro/team patterns — this is proportionate. The license module also optionally references CLAWHUB_JWT_SECRET (for signature verification) which is not declared in the skill metadata and whose name differs from the rest of the project (possible leftover/typo). License retrieval falls back to reading ~/.openclaw/openclaw.json; this is reasonable for convenience but it does mean the skill will read that config file to extract stored keys.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It can install lefthook hooks into a repository (writes/updates lefthook.yml and runs lefthook install) which is expected for a git-hook linter but is a repository-level change you should consent to. Hooks will execute the skill's scripts during commit/push if installed.
Assessment
This skill is internally consistent for an on‑host HTTP configuration linter, but check the following before installing: (1) The license key HTTPLINT_LICENSE_KEY unlocks Pro/Team behavior — only set it if you trust the publisher. The tool will also try to read ~/.openclaw/openclaw.json to find a saved key. (2) License code references an undocumented CLAWHUB_JWT_SECRET environment variable (likely for optional signature verification) — if you set such a secret, be aware it is only used locally for validating tokens; the skill does not transmit data. (3) Installing the optional lefthook hooks will write/modify lefthook.yml in your repository and cause the scanner to run on commit/push; review the hook contents and the scripts themselves before running lefthook install. (4) If you want maximal safety, run the scanner manually (bash scripts/dispatcher.sh scan .) in a contained repo first, inspect patterns.sh/analyzer.sh for rules you care about, and avoid installing hooks until comfortable. If anything looks unexpected, do not supply a license key or install the hooks until you investigate further.

Like a lobster shell, security has layers — review code before you run it.

latestvk9789r0n4tcxbf6az9nen70pwn84vzbd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envHTTPLINT_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook

Comments