← Back to Skills Marketplace
103
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install httplint
Description
HTTP client & server misconfiguration detector -- detects insecure connections, missing timeouts, cookie security issues, caching misconfigurations, and requ...
README (SKILL.md)
\r \r
HTTPLint -- HTTP Client & Server Misconfiguration Detector\r
\r HTTPLint scans codebases for HTTP client/server misconfigurations, insecure connections, missing timeouts, cookie security issues, caching misconfigurations, header problems, and request handling vulnerabilities. It uses regex-based pattern matching against 90 HTTP-specific patterns across 6 categories, lefthook for git hook integration, and produces markdown reports with actionable remediation guidance. 100% local. Zero telemetry.\r \r
Commands\r
\r
Free Tier (No license required)\r
\r
httplint scan [file|directory]\r
One-shot HTTP configuration scan of files or directories.\r \r How to execute:\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target]\r
```\r
\r
**What it does:**\r
1. Accepts a file path or directory (defaults to current directory)\r
2. Discovers all source files (skips .git, node_modules, binaries, images, .min.js)\r
3. Runs 30 HTTP configuration patterns against each file (free tier limit)\r
4. Calculates an HTTP configuration quality score (0-100) per file and overall\r
5. Grades: A (90-100), B (80-89), C (70-79), D (60-69), F (\x3C60)\r
6. Outputs findings with: file, line number, check ID, severity, description, recommendation\r
7. Exit code 0 if score >= 70, exit code 1 if HTTP configuration quality is poor\r
8. Free tier limited to first 30 patterns (HC + HS categories)\r
\r
**Example usage scenarios:**\r
- "Scan my code for HTTP issues" -> runs `httplint scan .`\r
- "Check this file for HTTP misconfigurations" -> runs `httplint scan src/server.ts`\r
- "Find insecure HTTP connections" -> runs `httplint scan src/`\r
- "Audit HTTP configuration quality in my project" -> runs `httplint scan .`\r
- "Check for cookie security issues" -> runs `httplint scan .`\r
\r
### Pro Tier ($19/user/month -- requires HTTPLINT_LICENSE_KEY)\r
\r
#### `httplint scan --tier pro [file|directory]`\r
Extended scan with 60 patterns covering HTTP client, server, cookie security, and caching headers.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [target] --tier pro\r
```\r
\r
**What it does:**\r
1. Validates Pro+ license\r
2. Runs 60 HTTP patterns (HC, HS, CK, CH categories)\r
3. Detects cookie security issues (missing Secure flag, SameSite, session fixation)\r
4. Identifies caching and header misconfigurations\r
5. Full category breakdown reporting\r
\r
#### `httplint scan --format json [directory]`\r
Generate JSON output for CI/CD integration.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format json\r
```\r
\r
#### `httplint scan --format html [directory]`\r
Generate HTML report for browser viewing.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --format html\r
```\r
\r
#### `httplint scan --category CK [directory]`\r
Filter scan to a specific check category (HC, HS, CK, CH, RH, ER).\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --category CK\r
```\r
\r
### Team Tier ($39/user/month -- requires HTTPLINT_LICENSE_KEY with team tier)\r
\r
#### `httplint scan --tier team [directory]`\r
Full scan with all 90 patterns across all 6 categories including request handling and error response.\r
\r
**How to execute:**\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --tier team\r
```\r
\r
**What it does:**\r
1. Validates Team+ license\r
2. Runs all 90 patterns across 6 categories\r
3. Includes request handling checks (input validation, content-length, redirects, smuggling)\r
4. Includes error and response checks (stack traces, status codes, error handling, response format)\r
5. Full category breakdown with per-file results\r
\r
#### `httplint scan --verbose [directory]`\r
Verbose output showing every matched line and pattern details.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" --path [directory] --verbose\r
```\r
\r
#### `httplint status`\r
Show license and configuration information.\r
\r
```bash\r
bash "\x3CSKILL_DIR>/scripts/dispatcher.sh" status\r
```\r
\r
## Check Categories\r
\r
HTTPLint detects 90 HTTP misconfiguration patterns across 6 categories:\r
\r
| Category | Code | Patterns | Description | Severity Range |\r
|----------|------|----------|-------------|----------------|\r
| **HTTP Client** | HC | 15 | Missing timeouts, no retries, insecure connections, hardcoded URLs, missing User-Agent | medium -- critical |\r
| **HTTP Server** | HS | 15 | Missing CORS configuration, no rate limiting, improper status codes, missing middleware | medium -- critical |\r
| **Cookie & Session** | CK | 15 | Missing Secure flag, no SameSite attribute, session fixation, insecure token storage | high -- critical |\r
| **Caching & Headers** | CH | 15 | Missing cache control, no ETags, missing security headers, improper content type | medium -- high |\r
| **Request Handling** | RH | 15 | Missing input validation, content-length issues, open redirects, request smuggling | high -- critical |\r
| **Error & Response** | ER | 15 | Stack trace exposure, improper status codes, missing error handling, response format issues | medium -- high |\r
\r
## Tier-Based Pattern Access\r
\r
| Tier | Patterns | Categories |\r
|------|----------|------------|\r
| **Free** | 30 | HC, HS |\r
| **Pro** | 60 | HC, HS, CK, CH |\r
| **Team** | 90 | HC, HS, CK, CH, RH, ER |\r
| **Enterprise** | 90 | HC, HS, CK, CH, RH, ER + priority support |\r
\r
## Scoring\r
\r
HTTPLint uses a deductive scoring system starting at 100 (perfect):\r
\r
| Severity | Point Deduction | Description |\r
|----------|-----------------|-------------|\r
| **Critical** | -25 per finding | Severe security issue (insecure connections, missing authentication) |\r
| **High** | -15 per finding | Significant quality problem (missing timeouts, no CORS) |\r
| **Medium** | -8 per finding | Moderate concern (missing headers, caching issues) |\r
| **Low** | -3 per finding | Informational / best practice suggestion |\r
\r
### Grading Scale\r
\r
| Grade | Score Range | Meaning |\r
|-------|-------------|---------|\r
| **A** | 90-100 | Excellent HTTP configuration quality |\r
| **B** | 80-89 | Good configuration with minor issues |\r
| **C** | 70-79 | Acceptable but needs improvement |\r
| **D** | 60-69 | Poor HTTP configuration quality |\r
| **F** | Below 60 | Critical HTTP configuration problems |\r
\r
- **Pass threshold:** 70 (Grade C or better)\r
- Exit code 0 = pass (score >= 70)\r
- Exit code 1 = fail (score \x3C 70)\r
\r
## Configuration\r
\r
Users can configure HTTPLint in `~/.openclaw/openclaw.json`:\r
\r
```json\r
{\r
"skills": {\r
"entries": {\r
"httplint": {\r
"enabled": true,\r
"apiKey": "YOUR_LICENSE_KEY_HERE",\r
"config": {\r
"severityThreshold": "medium",\r
"ignorePatterns": ["**/test/**", "**/fixtures/**", "**/*.test.*"],\r
"ignoreChecks": [],\r
"reportFormat": "text"\r
}\r
}\r
}\r
}\r
}\r
```\r
\r
## Important Notes\r
\r
- **Free tier** works immediately with no configuration\r
- **All scanning happens locally** -- no code is sent to external servers\r
- **License validation is offline** -- no phone-home or network calls\r
- Pattern matching only -- no AST parsing, no external dependencies beyond bash\r
- Supports scanning all file types in a single pass\r
- Git hooks use **lefthook** which must be installed (see install metadata above)\r
- Exit codes: 0 = pass (score >= 70), 1 = fail (for CI/CD integration)\r
- Output formats: text (default), json, html\r
\r
## Error Handling\r
\r
- If lefthook is not installed and user tries hooks, prompt to install it\r
- If license key is invalid or expired, show clear message with link to https://httplint.pages.dev/renew\r
- If a file is binary, skip it automatically with no warning\r
- If no scannable files found in target, report clean scan with info message\r
- If an invalid category is specified with --category, show available categories\r
\r
## When to Use HTTPLint\r
\r
The user might say things like:\r
- "Scan my code for HTTP issues"\r
- "Check my HTTP configuration"\r
- "Find insecure HTTP connections"\r
- "Detect missing timeouts in my HTTP clients"\r
- "Are there any hardcoded URLs in my code?"\r
- "Check for missing CORS configuration"\r
- "Audit my cookie security"\r
- "Find missing security headers"\r
- "Check for request smuggling vulnerabilities"\r
- "Scan for HTTP anti-patterns"\r
- "Run an HTTP configuration audit"\r
- "Generate an HTTP quality report"\r
- "Check if cookies have the Secure flag"\r
- "Find missing rate limiting in my API"\r
- "Check my code for HTTP security issues"\r
Usage Guidance
This skill is internally consistent for an on‑host HTTP configuration linter, but check the following before installing: (1) The license key HTTPLINT_LICENSE_KEY unlocks Pro/Team behavior — only set it if you trust the publisher. The tool will also try to read ~/.openclaw/openclaw.json to find a saved key. (2) License code references an undocumented CLAWHUB_JWT_SECRET environment variable (likely for optional signature verification) — if you set such a secret, be aware it is only used locally for validating tokens; the skill does not transmit data. (3) Installing the optional lefthook hooks will write/modify lefthook.yml in your repository and cause the scanner to run on commit/push; review the hook contents and the scripts themselves before running lefthook install. (4) If you want maximal safety, run the scanner manually (bash scripts/dispatcher.sh scan .) in a contained repo first, inspect patterns.sh/analyzer.sh for rules you care about, and avoid installing hooks until comfortable. If anything looks unexpected, do not supply a license key or install the hooks until you investigate further.
Capability Analysis
Type: OpenClaw Skill
Name: httplint
Version: 1.0.1
HTTPLint is a legitimate security tool designed to scan codebases for HTTP-specific misconfigurations using regex patterns. The skill operates locally as stated, utilizing scripts like `analyzer.sh` and `patterns.sh` to perform scans and `license.sh` for offline JWT-based tier validation. While it interacts with the user's environment by reading `~/.openclaw/openclaw.json` for configuration and modifying `lefthook.yml` for git hook integration, these actions are transparently documented and consistent with the tool's purpose as a developer utility. No evidence of data exfiltration, malicious persistence, or prompt injection was found.
Capability Tags
Capability Assessment
Purpose & Capability
The skill is an on‑host HTTP misconfiguration scanner and the code files implement file discovery, regex-based pattern scanning, report generation, and license checks. Required binaries (git, bash, python3, jq) are used by the scripts. The brew install of lefthook is appropriate for the advertised git hook integration. One small metadata mismatch: registry metadata lists 'Required env vars: none' while a primary credential HTTPLINT_LICENSE_KEY is declared — that credential is optional for free scans but required for Pro/Team features.
Instruction Scope
Runtime instructions point the agent to run dispatcher.sh/dispatcher via the scripts. The scripts only operate on local files (with sensible .gitignore and directory exclusions) and produce local reports. The license module reads ~/.openclaw/openclaw.json as a fallback to obtain a license key (this path is also declared in SKILL.md metadata). Pre-commit/pre-push lefthook entries source the skill scripts and will run scans on staged files and on push if hooks are installed — that is expected for a hook-integrated linter, but it means the skill's code may be executed automatically during git operations if you install hooks.
Install Mechanism
The only install action declared is to install the well-known lefthook formula via brew. Using a community package manager formula (brew) for a known tool is low risk. The skill does not include any arbitrary remote downloads or extract steps.
Credentials
The primary credential is HTTPLINT_LICENSE_KEY which the code uses to unlock pro/team patterns — this is proportionate. The license module also optionally references CLAWHUB_JWT_SECRET (for signature verification) which is not declared in the skill metadata and whose name differs from the rest of the project (possible leftover/typo). License retrieval falls back to reading ~/.openclaw/openclaw.json; this is reasonable for convenience but it does mean the skill will read that config file to extract stored keys.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It can install lefthook hooks into a repository (writes/updates lefthook.yml and runs lefthook install) which is expected for a git-hook linter but is a repository-level change you should consent to. Hooks will execute the skill's scripts during commit/push if installed.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install httplint - After installation, invoke the skill by name or use
/httplint - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Fix: declare all deps, JWT verification, configPaths
v1.0.0
Initial release of HTTPLint – a tool for detecting HTTP client and server misconfigurations.
- Scans codebases for insecure HTTP connections, missing timeouts, cookie security, caching, and HTTP header issues.
- Supports free, pro, and team tiers with increasing pattern coverage (30, 60, 90 patterns).
- Outputs actionable reports in text, JSON, or HTML; supports CI/CD and local workflows.
- 100% local analysis, no telemetry or external dependencies (requires git, bash, lefthook).
- Integrates with git hooks through lefthook; provides license and config commands.
- Flexible configuration via `~/.openclaw/openclaw.json`, including severity thresholds and output formats.
Metadata
Frequently Asked Questions
What is httplint?
HTTP client & server misconfiguration detector -- detects insecure connections, missing timeouts, cookie security issues, caching misconfigurations, and requ... It is an AI Agent Skill for Claude Code / OpenClaw, with 103 downloads so far.
How do I install httplint?
Run "/install httplint" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is httplint free?
Yes, httplint is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does httplint support?
httplint is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux, win32).
Who created httplint?
It is built and maintained by suhteevah (@suhteevah); the current version is v1.0.1.
More Skills