← Back to Skills Marketplace
charlie-morrison

http-security-headers

by charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
86
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install http-security-headers
Description
Analyze HTTP security headers for any URL. Check for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS, and more....
README (SKILL.md)

HTTP Security Headers Analyzer

Analyze HTTP response headers for security best practices. Grade websites A-F with actionable recommendations.

Quick Scan (Single URL)

python3 scripts/scan_headers.py \x3Curl>

Batch Scan (Multiple URLs)

python3 scripts/scan_headers.py \x3Curl1> \x3Curl2> \x3Curl3>

Output Formats

# Text (default)
python3 scripts/scan_headers.py \x3Curl>

# JSON
python3 scripts/scan_headers.py \x3Curl> --format json

# Markdown report
python3 scripts/scan_headers.py \x3Curl> --format markdown

What It Checks

Security Headers (15 checks)

Header Impact Description
Strict-Transport-Security Critical HTTPS enforcement, preload, max-age
Content-Security-Policy Critical XSS/injection prevention, directive analysis
X-Frame-Options High Clickjacking protection
X-Content-Type-Options High MIME sniffing prevention
Referrer-Policy Medium Information leakage control
Permissions-Policy Medium Browser feature restrictions
X-XSS-Protection Low Legacy XSS filter (deprecated but checked)
Cross-Origin-Opener-Policy Medium Cross-origin isolation
Cross-Origin-Resource-Policy Medium Resource sharing control
Cross-Origin-Embedder-Policy Medium Embedding restrictions
Cache-Control Medium Sensitive data caching
X-Permitted-Cross-Domain-Policies Low Flash/PDF cross-domain
Clear-Site-Data Info Logout/session clearing
X-DNS-Prefetch-Control Low DNS prefetch control
Content-Type High Charset and MIME type

Negative Indicators (penalize)

  • Server header revealing version info
  • X-Powered-By header present
  • X-AspNet-Version or similar tech disclosure

Grading

  • A+ (100): All critical+high headers present with optimal config
  • A (90-99): All critical headers, minor improvements possible
  • B (75-89): Most headers present, some gaps
  • C (60-74): Several missing headers
  • D (40-59): Major security gaps
  • F (\x3C40): Critical headers missing

CI Integration

Exit codes:

  • 0 — Grade A or better
  • 1 — Grade B-C (warnings)
  • 2 — Grade D-F (failures)

Use --min-grade B to set custom threshold:

python3 scripts/scan_headers.py https://example.com --min-grade B

Workflow

  1. User provides URL(s) to scan
  2. Run the scan script
  3. Present the grade and findings
  4. Highlight critical missing headers first
  5. Provide specific fix recommendations (Nginx, Apache, Cloudflare snippets)
Usage Guidance
This skill appears to do what it says: run a Python script to analyze HTTP response headers. Before installing or enabling it broadly, consider: (1) the script will make network requests to any URL you or the agent provide — that can probe internal/private hosts if the agent has network access; (2) autonomous invocation is allowed by default, so restrict agent network permissions or limit the skill to user-invocation if you want to avoid unintended scans; (3) if you have concerns, review the included scripts/scan_headers.py (it is pure Python stdlib) or run it locally on a safe host list. Also be mindful of legal/privacy rules before scanning third-party systems.
Capability Analysis
Type: OpenClaw Skill Name: http-security-headers Version: 1.0.0 The skill bundle is a legitimate utility for auditing HTTP security headers and providing security grades based on OWASP-aligned recommendations. The core logic in `scripts/scan_headers.py` uses only the Python standard library to perform HEAD requests and analyze response headers; it contains no evidence of data exfiltration, unauthorized file access, or malicious execution. The instructions in `SKILL.md` are consistent with the tool's purpose and do not attempt to subvert the AI agent's behavior.
Capability Assessment
Purpose & Capability
Name/description match the included script and documentation. The Python scanner implements the listed header checks, grading, output formats, CI exit codes, and fix snippets. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
SKILL.md tells the agent to run the included script against user-provided URL(s). The script makes outbound HTTP(S) requests to arbitrary URLs (HEAD requests by default). This is expected for a scanner, but it means the skill can probe external or internal network endpoints when invoked—so the runtime network capability is the primary risk to manage.
Install Mechanism
No install spec; the skill is instruction+script-only and claims to use only the Python standard library, which the script appears to do. Nothing is downloaded from external URLs during install.
Credentials
The skill requests no environment variables, credentials, or config paths. There are no extraneous secret requirements that don't match the stated purpose.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is allowed (normal default). Autonomous invocation combined with the ability to make arbitrary network requests is a privacy/operational consideration (it could be used to scan internal hosts) but is not itself an incoherence with the declared purpose.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install http-security-headers
  3. After installation, invoke the skill by name or use /http-security-headers
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Slug http-security-headers
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is http-security-headers?

Analyze HTTP security headers for any URL. Check for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS, and more.... It is an AI Agent Skill for Claude Code / OpenClaw, with 86 downloads so far.

How do I install http-security-headers?

Run "/install http-security-headers" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is http-security-headers free?

Yes, http-security-headers is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does http-security-headers support?

http-security-headers is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created http-security-headers?

It is built and maintained by charlie-morrison (@charlie-morrison); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments