cors-scanner

Scan web endpoints for CORS misconfigurations. Detect origin reflection, wildcard policies, null origin acceptance, credential leaks, subdomain trust, HTTP origin trust on HTTPS, preflight issues, and private network access. Assign A-F security grades. Use when asked to check CORS, test cross-origin policy, audit CORS headers, scan for CORS vulnerabilities, or check if an API has safe CORS configuration. Triggers on "CORS", "cross-origin", "CORS misconfiguration", "CORS scan", "Access-Control-Allow-Origin", "origin reflection".

Safety Notice

This listing is from the official public ClawHub registry. Review SKILL.md and referenced scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "cors-scanner" with this command: npx skills add charlie-morrison/cors-scanner

CORS Misconfiguration Scanner

Scan web endpoints for dangerous Cross-Origin Resource Sharing policies. Detect misconfigurations that could allow attackers to steal data cross-origin.

Quick Scan

python3 scripts/cors_scan.py https://api.example.com

Batch Scan

python3 scripts/cors_scan.py https://api1.com https://api2.com https://api3.com

Output Formats

# Text (default)
python3 scripts/cors_scan.py <url>

# JSON
python3 scripts/cors_scan.py <url> --format json

# Markdown report
python3 scripts/cors_scan.py <url> --format markdown

CI/CD Integration

# Fail if any URL grades below C
python3 scripts/cors_scan.py https://api.example.com --min-grade C
echo $?  # 0 = pass, 1 = fail

What It Checks (13 checks)

CheckSeverityDescription
Origin reflectionCritical/HighServer reflects arbitrary Origin back as ACAO
Credentials + wildcardCriticalACAO: * with ACAC: true (browser-blocked but misconfigured)
Null origin acceptedHigh/MediumOrigin: null trusted (exploitable via sandboxed iframes)
HTTP origin on HTTPSHighHTTPS endpoint trusts HTTP origins (MitM risk)
Subdomain wildcardHighTrusts any subdomain (*.domain.com)
Third-party originHighConfirms reflection with different attacker domain
Private network accessHighAllows external sites to reach internal network
Wildcard origin (*)MediumACAO: * on potentially sensitive endpoints
Sensitive headers exposedMediumExposes auth/session headers cross-origin
Wildcard methodsMediumACAM: * allows any HTTP method
Wildcard headersMediumACAH: * allows any custom header
Missing max-ageLowNo preflight caching, increased latency
CleanInfoNo misconfigurations detected

Grading

GradeMeaning
ANo CORS issues detected
BMinor issues (low severity)
CModerate issues (medium severity)
DSerious issues (high severity or multiple medium)
FCritical misconfigurations (origin reflection + credentials)

Requirements

  • Python 3.6+
  • No external dependencies (stdlib only)

Examples

$ python3 scripts/cors_scan.py https://httpbin.org/get
CORS Scan: https://httpbin.org/get
Grade: A
Findings: 0
============================================================

⚪ [INFO] No CORS misconfigurations detected
  The scanned endpoint does not appear to have dangerous CORS policies.

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open Registry RecordOpen in ClawHub

Related Skills

Related by shared tags or category signals.

General

公文格式转换

公文格式排版工具。将 doc/docx/wps/txt/md 文档按照公文排版习惯自动格式化,输出标准 docx。支持智能识别标题层级(一、/(一)/1./(1))、题目/副标题、附件格式化、图表标题识别、页面边距、页码、行距、字体字号、TXT/MD 空行模式、自定义配置和目录批量处理。当用户需要排版公文、格式化...

Registry SourceRecently Updated
430cwyalpha
General

Postzee Skill

Generate AI images/videos and post to 30+ social media platforms with Postzee. Use when the user wants to create AI media, generate images or videos, optimiz...

Registry SourceRecently Updated
240lucasfreitas
General

Chart Splat (x402)

Generate beautiful charts by paying per request with x402 micropayments (USDC on Base) instead of an API key. Use when the user wants a chart and has no CHAR...

Registry SourceRecently Updated
230bobbyg603
General

Mimotts25 Plus

🚀 小米 MiMo TTS 2.5 Plus — 基于 mimotts25 深度优化增强。升级到 v2.5-tts 模型,新增声音设计(文字定制音色)、声音克隆(音频复刻)、导演模式等高级功能。支持 v2.5 新音色:冰糖、茉莉、苏打、白桦等。

Registry SourceRecently Updated
1450limingjing6666