← 返回 Skills 市场

http-security-headers

Name: http-security-headers
Author: charlie-morrison

作者 charlie-morrison · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install http-security-headers

功能描述

Analyze HTTP security headers for any URL. Check for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, CORS, and more....

使用说明 (SKILL.md)

HTTP Security Headers Analyzer

Analyze HTTP response headers for security best practices. Grade websites A-F with actionable recommendations.

Quick Scan (Single URL)

python3 scripts/scan_headers.py \x3Curl>

Batch Scan (Multiple URLs)

python3 scripts/scan_headers.py \x3Curl1> \x3Curl2> \x3Curl3>

Output Formats

# Text (default)
python3 scripts/scan_headers.py \x3Curl>

# JSON
python3 scripts/scan_headers.py \x3Curl> --format json

# Markdown report
python3 scripts/scan_headers.py \x3Curl> --format markdown

What It Checks

Security Headers (15 checks)

Header	Impact	Description
Strict-Transport-Security	Critical	HTTPS enforcement, preload, max-age
Content-Security-Policy	Critical	XSS/injection prevention, directive analysis
X-Frame-Options	High	Clickjacking protection
X-Content-Type-Options	High	MIME sniffing prevention
Referrer-Policy	Medium	Information leakage control
Permissions-Policy	Medium	Browser feature restrictions
X-XSS-Protection	Low	Legacy XSS filter (deprecated but checked)
Cross-Origin-Opener-Policy	Medium	Cross-origin isolation
Cross-Origin-Resource-Policy	Medium	Resource sharing control
Cross-Origin-Embedder-Policy	Medium	Embedding restrictions
Cache-Control	Medium	Sensitive data caching
X-Permitted-Cross-Domain-Policies	Low	Flash/PDF cross-domain
Clear-Site-Data	Info	Logout/session clearing
X-DNS-Prefetch-Control	Low	DNS prefetch control
Content-Type	High	Charset and MIME type

Negative Indicators (penalize)

Server header revealing version info
X-Powered-By header present
X-AspNet-Version or similar tech disclosure

Grading

A+ (100): All critical+high headers present with optimal config
A (90-99): All critical headers, minor improvements possible
B (75-89): Most headers present, some gaps
C (60-74): Several missing headers
D (40-59): Major security gaps
F (\x3C40): Critical headers missing

CI Integration

Exit codes:

0 — Grade A or better
1 — Grade B-C (warnings)
2 — Grade D-F (failures)

Use --min-grade B to set custom threshold:

python3 scripts/scan_headers.py https://example.com --min-grade B

Workflow

User provides URL(s) to scan
Run the scan script
Present the grade and findings
Highlight critical missing headers first
Provide specific fix recommendations (Nginx, Apache, Cloudflare snippets)

安全使用建议

This skill appears to do what it says: run a Python script to analyze HTTP response headers. Before installing or enabling it broadly, consider: (1) the script will make network requests to any URL you or the agent provide — that can probe internal/private hosts if the agent has network access; (2) autonomous invocation is allowed by default, so restrict agent network permissions or limit the skill to user-invocation if you want to avoid unintended scans; (3) if you have concerns, review the included scripts/scan_headers.py (it is pure Python stdlib) or run it locally on a safe host list. Also be mindful of legal/privacy rules before scanning third-party systems.

功能分析

Type: OpenClaw Skill Name: http-security-headers Version: 1.0.0 The skill bundle is a legitimate utility for auditing HTTP security headers and providing security grades based on OWASP-aligned recommendations. The core logic in `scripts/scan_headers.py` uses only the Python standard library to perform HEAD requests and analyze response headers; it contains no evidence of data exfiltration, unauthorized file access, or malicious execution. The instructions in `SKILL.md` are consistent with the tool's purpose and do not attempt to subvert the AI agent's behavior.

能力评估

✓ Purpose & Capability

Name/description match the included script and documentation. The Python scanner implements the listed header checks, grading, output formats, CI exit codes, and fix snippets. No unrelated binaries, credentials, or config paths are requested.

ℹ Instruction Scope

SKILL.md tells the agent to run the included script against user-provided URL(s). The script makes outbound HTTP(S) requests to arbitrary URLs (HEAD requests by default). This is expected for a scanner, but it means the skill can probe external or internal network endpoints when invoked—so the runtime network capability is the primary risk to manage.

✓ Install Mechanism

No install spec; the skill is instruction+script-only and claims to use only the Python standard library, which the script appears to do. Nothing is downloaded from external URLs during install.

✓ Credentials

The skill requests no environment variables, credentials, or config paths. There are no extraneous secret requirements that don't match the stated purpose.

ℹ Persistence & Privilege

always is false and the skill is user-invocable; model invocation is allowed (normal default). Autonomous invocation combined with the ability to make arbitrary network requests is a privacy/operational consideration (it could be used to scan internal hosts) but is not itself an incoherence with the declared purpose.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install http-security-headers
安装完成后，直接呼叫该 Skill 的名称或使用 /http-security-headers 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release

元数据

Slug http-security-headers

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题