← 返回 Skills 市场
HTTP Header Analyzer
作者
HostileSpider
· GitHub ↗
· v1.0.0
· MIT-0
92
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install http-header-analyzer
功能描述
Analyze HTTP security headers and TLS configuration. Find missing headers, weak ciphers, and misconfigurations in web applications.
使用说明 (SKILL.md)
HTTP Header Analyzer
Check HTTP security headers and TLS configuration. Find missing protections and misconfigurations.
Quick Start
# Analyze a single URL
python3 {baseDir}/scripts/analyze-headers.py https://example.com
# Check multiple targets
python3 {baseDir}/scripts/analyze-headers.py -f urls.txt
# JSON output
python3 {baseDir}/scripts/analyze-headers.py https://example.com --json
Headers Checked
| Header | Purpose | Risk if Missing |
|---|---|---|
Strict-Transport-Security |
Forces HTTPS | Medium |
Content-Security-Policy |
XSS protection | Medium-High |
X-Frame-Options |
Clickjacking protection | Medium |
X-Content-Type-Options |
MIME sniffing protection | Low |
X-XSS-Protection |
XSS filter (legacy) | Low |
Referrer-Policy |
Controls referrer leakage | Low |
Permissions-Policy |
Feature restrictions | Low |
Cross-Origin-Opener-Policy |
Cross-origin isolation | Low |
Cross-Origin-Embedder-Policy |
Cross-origin isolation | Low |
Cross-Origin-Resource-Policy |
Cross-origin protection | Low |
Options
URL— Target URL(s) to analyze-f FILE— File with URLs (one per line)--json— JSON output--follow— Follow redirects (default: yes)--timeout SECS— Request timeout (default: 10)--user-agent UA— Custom User-Agent--check-tls— Also check TLS certificate info--severity LEVEL— Minimum severity to report:low,medium,high
Output
=== https://example.com ===
✅ Strict-Transport-Security: max-age=31536000; includeSubDomains
✅ Content-Security-Policy: default-src 'self'
❌ X-Frame-Options: MISSING (clickjacking risk)
✅ X-Content-Type-Options: nosniff
❌ Referrer-Policy: MISSING
⚠️ Server: nginx/1.18.0 (version exposed)
Score: 3/6 security headers present
Risk: MEDIUM
安全使用建议
This skill's code matches its description: it will perform HTTP(S) requests to any URL(s) you give it and report missing security headers and basic TLS info. Two things to consider before installing or running it: (1) SKILL.md declares 'curl' as a required binary even though the shipped Python script uses requests/urllib — this is likely a packaging or metadata error but worth noting. (2) The script intentionally disables TLS certificate verification when fetching headers and when checking TLS (verify=False / CERT_NONE) so it will accept invalid/expired certificates for scanning purposes; that is typically fine for enumerating headers but means it won't validate server identity. There are no hidden network endpoints or secret exfiltration code in the files provided. If you will scan external sites, ensure you have permission to do so and run scans from a network/location you control. If you want to be extra cautious, inspect the local script yourself or run it in an isolated environment before granting broader access.
功能分析
Type: OpenClaw Skill
Name: http-header-analyzer
Version: 1.0.0
The skill bundle is a legitimate tool for analyzing HTTP security headers and TLS configurations. The Python script (scripts/analyze-headers.py) performs standard network requests to user-provided URLs to identify missing protections like CSP or HSTS. While it disables SSL certificate verification to ensure it can scan misconfigured sites, this is a common functional choice for security scanners and does not indicate malicious intent.
能力评估
Purpose & Capability
Name/description match the included script: the Python tool analyzes headers and TLS. However SKILL.md metadata declares a required binary 'curl' even though the shipped script uses the Python requests/urllib libraries and never calls curl. Requesting curl is unnecessary for the stated purpose and is an incoherence in requirements.
Instruction Scope
Runtime instructions are limited to running the bundled Python script against user-provided URLs or a user-provided file of URLs. The script only performs network requests to the specified targets and does not attempt to read unrelated system files or external control endpoints. It does accept a file path provided by the user and will read that file (expected behavior for batch scanning).
Install Mechanism
There is no install spec (instruction-only) and the included script runs from the skill directory. No remote downloads or archive extraction are performed by the skill itself. This is a low-risk installation model.
Credentials
The skill requests no environment variables, secrets, or config paths. The absence of credential requests is proportional to the described functionality.
Persistence & Privilege
The skill is not set to always:true and does not request persistent or elevated privileges. Autonomous invocation is allowed (platform default) but is not combined with other concerning signals.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install http-header-analyzer - 安装完成后,直接呼叫该 Skill 的名称或使用
/http-header-analyzer触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — Check security headers and TLS config
元数据
常见问题
HTTP Header Analyzer 是什么?
Analyze HTTP security headers and TLS configuration. Find missing headers, weak ciphers, and misconfigurations in web applications. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 92 次。
如何安装 HTTP Header Analyzer?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install http-header-analyzer」即可一键安装,无需额外配置。
HTTP Header Analyzer 是免费的吗?
是的,HTTP Header Analyzer 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
HTTP Header Analyzer 支持哪些平台?
HTTP Header Analyzer 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 HTTP Header Analyzer?
由 HostileSpider(@hostilespider)开发并维护,当前版本 v1.0.0。
推荐 Skills