csp-gen

What This Skill Does

The csp-gen skill is an automated security utility designed to simplify the complex task of creating and maintaining Content Security Policy (CSP) headers. Security professionals and developers often struggle with the intricacies of CSP directives, leading to either overly permissive policies or broken web applications. This tool bridges that gap by programmatically analyzing your live website, identifying all external and internal resources—including scripts, styles, images, and API endpoints—and generating a well-structured, production-ready CSP header string. By leveraging intelligent analysis, the tool ensures that you can enforce strict browser-side security against Cross-Site Scripting (XSS) and data injection attacks without the manual effort of mapping every resource dependency yourself.

Installation

To integrate this skill into your environment, use the OpenClaw repository management system. Run the following command in your terminal:

clawhub install openclaw/skills/skills/lxgicstudios/csp-gen

Once installed, you can invoke the tool directly through the OpenClaw agent. The underlying utility is powered by npx, meaning no complex local installation or global package configuration is required, provided you have Node.js 18 or higher installed on your system.

Use Cases

• Initial Security Hardening: For teams implementing CSP for the first time, this tool provides an immediate baseline policy that can be refined over time.
• Third-Party Script Management: When adding new analytics, chat widgets, or tracking pixels, use this tool to determine the updated required directives to avoid breaking these features.
• Legacy Policy Audits: Use it to replace a broken or 'unsafe-inline' heavy policy with a modern, tightened configuration.
• CI/CD Pipeline Integration: Automate the generation of security headers during build processes to ensure that your site's infrastructure is always accompanied by an accurate security policy.

Example Prompts

1. "Analyze my site at https://secure-dashboard.com and generate a strict CSP header that restricts scripts to my own domain and trusted CDNs."
2. "I need to update my CSP. Can you use the csp-gen skill on https://api.myshop.com/login and suggest a report-only header for monitoring?"
3. "Run a scan on my development environment at http://localhost:3000 to identify which directives I need to enable for my new Stripe integration."

Tips & Limitations

• Test Before Enforcing: Always use the Content-Security-Policy-Report-Only mode first. This allows you to view potential violations in your browser's console without actually blocking resources.
• Manual Review Required: While the tool is highly accurate, it cannot predict every dynamic user interaction. Ensure your human developers verify the output, especially regarding dynamic script injection.
• Merge Carefully: If your site is large and uses multiple distinct page layouts, generate policies for each type and merge them into a unified, robust policy. Avoid overly generic wildcards like * whenever possible to maintain maximum security posture.