← Back to Skills Marketplace
hostilespider

HTTP Header Analyzer

by HostileSpider · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
92
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install http-header-analyzer
Description
Analyze HTTP security headers and TLS configuration. Find missing headers, weak ciphers, and misconfigurations in web applications.
README (SKILL.md)

HTTP Header Analyzer

Check HTTP security headers and TLS configuration. Find missing protections and misconfigurations.

Quick Start

# Analyze a single URL
python3 {baseDir}/scripts/analyze-headers.py https://example.com

# Check multiple targets
python3 {baseDir}/scripts/analyze-headers.py -f urls.txt

# JSON output
python3 {baseDir}/scripts/analyze-headers.py https://example.com --json

Headers Checked

Header Purpose Risk if Missing
Strict-Transport-Security Forces HTTPS Medium
Content-Security-Policy XSS protection Medium-High
X-Frame-Options Clickjacking protection Medium
X-Content-Type-Options MIME sniffing protection Low
X-XSS-Protection XSS filter (legacy) Low
Referrer-Policy Controls referrer leakage Low
Permissions-Policy Feature restrictions Low
Cross-Origin-Opener-Policy Cross-origin isolation Low
Cross-Origin-Embedder-Policy Cross-origin isolation Low
Cross-Origin-Resource-Policy Cross-origin protection Low

Options

  • URL — Target URL(s) to analyze
  • -f FILE — File with URLs (one per line)
  • --json — JSON output
  • --follow — Follow redirects (default: yes)
  • --timeout SECS — Request timeout (default: 10)
  • --user-agent UA — Custom User-Agent
  • --check-tls — Also check TLS certificate info
  • --severity LEVEL — Minimum severity to report: low, medium, high

Output

=== https://example.com ===
✅ Strict-Transport-Security: max-age=31536000; includeSubDomains
✅ Content-Security-Policy: default-src 'self'
❌ X-Frame-Options: MISSING (clickjacking risk)
✅ X-Content-Type-Options: nosniff
❌ Referrer-Policy: MISSING
⚠️  Server: nginx/1.18.0 (version exposed)

Score: 3/6 security headers present
Risk: MEDIUM
Usage Guidance
This skill's code matches its description: it will perform HTTP(S) requests to any URL(s) you give it and report missing security headers and basic TLS info. Two things to consider before installing or running it: (1) SKILL.md declares 'curl' as a required binary even though the shipped Python script uses requests/urllib — this is likely a packaging or metadata error but worth noting. (2) The script intentionally disables TLS certificate verification when fetching headers and when checking TLS (verify=False / CERT_NONE) so it will accept invalid/expired certificates for scanning purposes; that is typically fine for enumerating headers but means it won't validate server identity. There are no hidden network endpoints or secret exfiltration code in the files provided. If you will scan external sites, ensure you have permission to do so and run scans from a network/location you control. If you want to be extra cautious, inspect the local script yourself or run it in an isolated environment before granting broader access.
Capability Analysis
Type: OpenClaw Skill Name: http-header-analyzer Version: 1.0.0 The skill bundle is a legitimate tool for analyzing HTTP security headers and TLS configurations. The Python script (scripts/analyze-headers.py) performs standard network requests to user-provided URLs to identify missing protections like CSP or HSTS. While it disables SSL certificate verification to ensure it can scan misconfigured sites, this is a common functional choice for security scanners and does not indicate malicious intent.
Capability Assessment
Purpose & Capability
Name/description match the included script: the Python tool analyzes headers and TLS. However SKILL.md metadata declares a required binary 'curl' even though the shipped script uses the Python requests/urllib libraries and never calls curl. Requesting curl is unnecessary for the stated purpose and is an incoherence in requirements.
Instruction Scope
Runtime instructions are limited to running the bundled Python script against user-provided URLs or a user-provided file of URLs. The script only performs network requests to the specified targets and does not attempt to read unrelated system files or external control endpoints. It does accept a file path provided by the user and will read that file (expected behavior for batch scanning).
Install Mechanism
There is no install spec (instruction-only) and the included script runs from the skill directory. No remote downloads or archive extraction are performed by the skill itself. This is a low-risk installation model.
Credentials
The skill requests no environment variables, secrets, or config paths. The absence of credential requests is proportional to the described functionality.
Persistence & Privilege
The skill is not set to always:true and does not request persistent or elevated privileges. Autonomous invocation is allowed (platform default) but is not combined with other concerning signals.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install http-header-analyzer
  3. After installation, invoke the skill by name or use /http-header-analyzer
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — Check security headers and TLS config
Metadata
Slug http-header-analyzer
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is HTTP Header Analyzer?

Analyze HTTP security headers and TLS configuration. Find missing headers, weak ciphers, and misconfigurations in web applications. It is an AI Agent Skill for Claude Code / OpenClaw, with 92 downloads so far.

How do I install HTTP Header Analyzer?

Run "/install http-header-analyzer" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is HTTP Header Analyzer free?

Yes, HTTP Header Analyzer is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does HTTP Header Analyzer support?

HTTP Header Analyzer is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created HTTP Header Analyzer?

It is built and maintained by HostileSpider (@hostilespider); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments