← 返回 Skills 市场

http-requests-1.0.0

Name: http-requests-1.0.0
Author: pumpkinttl

作者 Pumpkin · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

101

总下载

当前安装

版本数

在 OpenClaw 中安装

/install httprequests

功能描述

Send HTTP requests with Python requests instead of curl when quoting and escaping would be error-prone. Use for GET, POST, PUT, DELETE requests with headers,...

使用说明 (SKILL.md)

HTTP Requests

Use this skill when an HTTP API call is needed and curl quoting/escaping would be fragile.

What this skill does

Sends HTTP requests via Python requests
Supports GET, POST, PUT, DELETE
Supports headers, query params, JSON body, form data, and timeout
Writes a light daily JSONL log under logs/
Avoids logging sensitive values like authorization tokens and full bodies

Inputs to collect

Before running the script, gather:

Method: GET / POST / PUT / DELETE
URL
Headers if any
Query params if any
JSON body or form data if any
Timeout if the user cares (otherwise use default)

Script

Primary script:

scripts/request_http.py

Run it with Python and pass method/url plus optional inputs.

Logging

Logs are stored inside this skill directory:

logs/YYYY-MM-DD.jsonl

Each line contains a light summary only:

timestamp
method
url
status
ok
duration_ms
response_bytes
error (if any)

Do not log authorization tokens, cookies, or full request/response bodies by default.

When to read references

Read references/usage-patterns.md when:

the request has multiple headers/params/body fields
the user wants an example pattern
you need to choose between JSON body and form data
you need the expected command-line argument style for the script

安全使用建议

This skill is functionally coherent but not fully protective of secrets. Before installing or using it: (1) avoid putting sensitive tokens in URL query strings (the script logs args.url unredacted); (2) avoid passing secrets on the command line where other processes/command history can capture them; prefer sending tokens in headers and verify the headers are redacted in any logs; (3) be aware the script prints response bodies to stdout (which your agent or host may capture); (4) install or ensure the 'requests' Python package is available or add an explicit install step; (5) consider patching the script to redact query params from logged URLs (or to omit logging the URL entirely) and to actually use redact_headers when persisting any headers. If you cannot review or modify the code, run it in an isolated environment and do not use it with real credentials or sensitive endpoints.

功能分析

Type: OpenClaw Skill Name: httprequests Version: 1.0.0 The skill provides a utility for making HTTP requests via the Python `requests` library. While it aligns with its stated purpose and includes security-conscious instructions in `SKILL.md`, the script `scripts/request_http.py` contains a high-risk capability (arbitrary network access) and a potential data-leakage vulnerability. Specifically, it logs the full URL (including potentially sensitive query parameters) to a local file, and while a header redaction function is defined, it is never actually called in the execution flow. No clear evidence of intentional malice or hardcoded exfiltration was found.

能力评估

ℹ Purpose & Capability

Name/description match the included script: the Python script implements GET/POST/PUT/DELETE, headers/params/json/data, timeouts, and writes light logs. Nothing in the code requires unrelated credentials or binaries.

⚠ Instruction Scope

SKILL.md promises to avoid logging sensitive values, but the script logs the original args.url (which can contain sensitive query parameters) and prints response bodies to stdout. A redact_headers helper exists but is not used for logging. These gaps mean secrets could be exposed despite the 'do not log' claim.

ℹ Install Mechanism

Instruction-only skill (no install spec) — low install risk. The script depends on the third-party 'requests' package but does not declare or install it; the runtime must already have requests available or the call will fail.

✓ Credentials

The skill requests no environment variables or credentials. Example usage shows passing Authorization headers or form passwords as arguments, which is expected for an HTTP helper, but those can be exposed via URL/console if used carelessly.

✓ Persistence & Privilege

No always:true flag and no system-wide persistence. The skill writes per-day logs under its own logs/ directory (normal for a local helper).

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install httprequests
安装完成后，直接呼叫该 Skill 的名称或使用 /httprequests 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

# HTTP Requests Skill v1.0.0 更新说明新增一个基于 Python `requests` 的通用 HTTP 请求 Skill，用来替代复杂 `curl` 场景，减少引号、转义、JSON body 拼接错误。 ## Skill 信息 - 名称：`http-requests` - 版本：`1.0.0` - 目录：`http-requests-1.0.0` ## 主要功能第一版提供统一的 HTTP 请求能力，使用单个通用脚本处理全部请求方式。当前支持： - GET - POST - PUT - DELETE - Headers - Query Params - JSON Body - Form Data - Timeout - 响应状态码输出 - 响应头可选输出 - 响应体输出 - 响应体长度裁剪 ## 设计特点 ### 1. 单脚本统一处理不按 GET / POST / PUT / DELETE 拆多个脚本，而是使用一个统一入口脚本处理全部请求方式，结构更简单，后续也更容易维护。主脚本： ```text scripts/request_http.py

元数据

Slug httprequests

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题