We built a free website security scanner skill for OpenClaw
Most website owners have no idea what code runs in their users' browsers. Third-party scripts from analytics platforms, ad networks, chat widgets, and payment processors all execute with full access to the DOM, yet security teams rarely maintain an inventory of what actually loads.
We built the cside Site Scanner to offer a free tool to get yourself on track to understand the issue. It's a free, open-source tool that audits any website's third-party scripts, security headers and PCI DSS exposure in about 30 seconds. Available on ClawHub, it works with any AI agent and gives security teams a clear starting point: what's on my site right now?
The results often surprise people.
The problem: your website runs code you didn't write
The average ecommerce site loads 30 to 50 third-party scripts: analytics, ads, chat widgets, tag managers, payment processors, and session replay tools. Each has full access to your DOM. They can read form inputs, set cookies, fingerprint devices, and exfiltrate data.
Most security teams don't have an inventory of what runs on their pages. They review their own code carefully, but third-party scripts bypass that process entirely. A marketing team adds a new analytics pixel through Google Tag Manager, and suddenly new code executes in every user's browser - code that never touched version control or passed through CI/CD.
This isn't a theoretical risk. Magecart attacks have compromised payment data on major retail sites by injecting malicious code through compromised third-party scripts. British Airways faced a large fine after attackers modified a third-party script to skim payment card details from hundreds of thousands of customers.
What the scanner does
Point it at any URL and it audits across six categories.
Third-party script inventory
The scanner identifies every external script loaded on the page, grouping them by domain and categorizing them by type: analytics, advertising, session replay, payment processing, CDN, and more. You get a complete picture of who has code running in your users' browsers.
Fingerprinting detection
Third-party scripts fingerprint users more often than site owners realize. The scanner checks for:
- Canvas fingerprinting
- WebGL queries
- AudioContext analysis
- Font enumeration
- Navigator property harvesting
- Known fingerprinting libraries like FingerprintJS
Under GDPR and CCPA, fingerprinting can count as personal data collection. If a third-party script does it on your pages, you're responsible - even if you didn't know it was happening.
Security header analysis
The scanner evaluates security headers that protect against common attacks:
| Header | Purpose |
|---|---|
| Content-Security-Policy (CSP) | Controls which scripts can execute |
| HTTP Strict Transport Security (HSTS) | Enforces HTTPS connections |
| X-Frame-Options | Prevents clickjacking attacks |
| Permissions-Policy | Restricts browser feature access |
| Subresource Integrity (SRI) | Verifies third-party script integrity |
Cookie audit
Every cookie is analyzed for security attributes: first-party versus third-party origin, Secure flag, HttpOnly flag, and SameSite setting. Misconfigured cookies can create session hijacking and cross-site request forgery vulnerabilities.
PCI DSS 4.0.1 risk flagging
Requirement 6.4.3 of PCI DSS 4.0 mandates that organizations inventory and justify all scripts on payment pages. The scanner detects payment forms and identifies which third-party scripts have DOM access to them, helping with compliance.
Tag manager chain tracing
The scanner performs a before-and-after comparison: it inventories scripts at page load, then checks again after tag managers execute. The difference shows your unaudited attack surface - scripts that entered through GTM or other tag managers without code review.
Security grade
All findings roll up into a single A-F grade weighted across eight factors. This provides one number to communicate risk to stakeholders and track improvements over time.
Why tag manager detection matters
Google Tag Manager appears on roughly 30% of the top million websites. It gives marketing teams the ability to add scripts without waiting for an engineering deploy. That same flexibility creates the biggest blind spot in many security programs.
Scripts loaded through GTM skip code review. They don't appear in your codebase. They don't pass through your CI/CD pipeline. They run in your users' browsers with full DOM access, and nobody on the engineering team approved them.
A compromised GTM container or rogue marketing pixel can inject malicious code across your entire site. The scanner makes this hidden attack surface visible.
Why fingerprinting detection matters
Device fingerprinting creates a unique identifier for users based on browser characteristics, hardware properties, and installed fonts. Unlike cookies, users can't easily remove fingerprints, and many don't know they're being tracked this way.
The privacy implications are serious. Regulators increasingly treat fingerprinting as personal data collection requiring explicit consent. If an analytics or advertising script fingerprints visitors on your site without proper disclosure, you inherit that compliance risk.
The scanner identifies which scripts use fingerprinting techniques and what methods they employ, letting you decide which third parties belong on your pages.
Scanner limitations
The scanner has real limitations to understand. It loads a page once, in one browser, from one location - a snapshot, not ongoing monitoring.
It misses:
- Scripts that vary by user; ad tech and A/B testing tools serve different code to different users, devices, and geographies
- Intermittent attacks; Magecart skimmers that only fire on checkout for specific IP ranges or user agents
- Post-load injection; scripts that load additional code dynamically based on user interaction
- Tag manager changes; GTM containers can be updated at any time without a deployment
No scanner can observe what runs in your real users' browsers over time. The gap between a point-in-time audit and continuous monitoring is where attacks hide.
Where cside picks up
cside closes that gap through continuous client-side security monitoring. Instead of scanning once, cside proxies scripts before they reach the browser, inspecting runtime code across all users and sessions.
This catches what snapshots miss: scripts that behave differently for certain users, code that changes after review, and supply chain compromises that affect specific conditions. Real attacks don't wait for your next scheduled audit.
Try it
The scanner is free and open source on ClawHub:
npx clawhub@latest install cside-site-scannerThen ask your AI agent to scan any site.
If the results raise concerns, we're here to help!
