← Back to Skills Marketplace

Http Sec Audit

Name: Http Sec Audit
Author: johnnywang2001

by John Wang · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ Security Clean

233

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install http-sec-audit

Description

Audit HTTP security headers for any website. Use when a user asks to check security headers, harden a web server, audit HSTS/CSP/X-Frame-Options compliance,...

README (SKILL.md)

HTTP Security Headers Audit

Scan any URL for missing or misconfigured security headers and get an actionable report with grades, fix recommendations, and info-leak detection.

Quick Start

python3 scripts/sec_headers.py https://example.com

Commands

# Single URL audit
python3 scripts/sec_headers.py https://example.com

# Multiple URLs
python3 scripts/sec_headers.py https://example.com https://google.com https://github.com

# JSON output (for programmatic use)
python3 scripts/sec_headers.py https://example.com --json

# Custom timeout
python3 scripts/sec_headers.py https://example.com --timeout 5

What It Checks

Security headers (graded by severity):

Strict-Transport-Security (HSTS) — HIGH
Content-Security-Policy (CSP) — HIGH
X-Content-Type-Options — MEDIUM
X-Frame-Options — MEDIUM
Referrer-Policy — MEDIUM
Permissions-Policy — MEDIUM
X-XSS-Protection — LOW
Cross-Origin-Opener-Policy (COOP) — LOW
Cross-Origin-Resource-Policy (CORP) — LOW
Cross-Origin-Embedder-Policy (COEP) — LOW

Info leak detection:

Server header (software version disclosure)
X-Powered-By (technology stack leak)
X-AspNet-Version (framework version leak)

Grading

Grade	Score	Meaning
A	90–100	Excellent — all critical headers present
B	75–89	Good — minor gaps
C	50–74	Fair — important headers missing
D	25–49	Poor — significant exposure
F	0–24	Failing — most headers absent

Dependencies

pip install requests

Usage Guidance

This skill appears to do what it advertises: issue HTTP(S) GETs to target URLs and report header findings. Before installing, consider that: (1) running it will perform outbound requests from the agent's environment — the target will see the agent's IP and the provided User-Agent string; (2) header values can include version strings or other info you may not want exposed if you run scans against sensitive/internal endpoints — run such scans from an appropriate, consented environment; (3) it depends on the Python 'requests' package (pip install requests); and (4) as with any third-party code, review the script if you have strict security policies or run it in a sandboxed environment. Overall it is internally coherent and proportional to its purpose.

Capability Analysis

Type: OpenClaw Skill Name: http-sec-audit Version: 1.0.0 The skill is a legitimate security tool designed to audit HTTP security headers (e.g., HSTS, CSP, XFO) and detect information leaks in server headers. The Python script 'scripts/sec_headers.py' uses the standard 'requests' library to fetch headers and perform a weighted scoring analysis without any evidence of data exfiltration, command injection, or malicious intent.

Capability Assessment

✓ Purpose & Capability

Name/description align with required files and behavior: the skill ships a Python script that performs HTTP GETs and inspects headers. No unrelated binaries, env vars, or credentials are requested.

✓ Instruction Scope

SKILL.md only instructs running the included script and installing the 'requests' dependency; the script only reads HTTP response headers and prints or emits JSON. It does not read local files, other env vars, or send results to external endpoints.

✓ Install Mechanism

No install spec; this is an instruction-only skill with a bundled Python script. The only dependency is the public 'requests' package (pip). Nothing is downloaded from untrusted URLs or written outside the skill's file.

✓ Credentials

No credentials, config paths, or sensitive environment variables are required. The script uses an explicit User-Agent when making requests (not a secret) and does not access other environment data.

✓ Persistence & Privilege

Skill is not always-enabled and does not request persistent elevated privileges or modify other skills or system-wide settings. It runs only when invoked.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install http-sec-audit
After installation, invoke the skill by name or use /http-sec-audit
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of http-sec-audit. - Audits 10 key HTTP security headers for any website. - Detects information leaks from headers like Server and X-Powered-By. - Provides per-header grading (A–F) and actionable fix recommendations. - Supports scanning multiple URLs and JSON output. - Includes command-line options for timeout configuration.

Metadata

Slug http-sec-audit

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Http Sec Audit?

Audit HTTP security headers for any website. Use when a user asks to check security headers, harden a web server, audit HSTS/CSP/X-Frame-Options compliance,... It is an AI Agent Skill for Claude Code / OpenClaw, with 233 downloads so far.

How do I install Http Sec Audit?

Run "/install http-sec-audit" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Http Sec Audit free?

Yes, Http Sec Audit is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Http Sec Audit support?

Http Sec Audit is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Http Sec Audit?

It is built and maintained by John Wang (@johnnywang2001); the current version is v1.0.0.

More Skills