ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oauth Security Checker

v1.4.0

Detects OAuth 2.0 security flaws in web apps by checking redirect URIs, state parameter, PKCE, token endpoint, scopes, and authorization server details.

0· 98·0 current·0 all-time
by@snipercat69

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for snipercat69/edgeiq-oauth-security-checker.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Oauth Security Checker" (snipercat69/edgeiq-oauth-security-checker) from ClawHub.
Skill page: https://clawhub.ai/snipercat69/edgeiq-oauth-security-checker
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install edgeiq-oauth-security-checker

ClawHub CLI

Package manager switcher

npx clawhub@latest install edgeiq-oauth-security-checker
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (oauth_checker.py) implements the described OAuth checks (redirect URI, state, PKCE, scopes, response_type, token endpoint probing). That part is coherent with the skill's stated purpose.
!
Instruction Scope
The SKILL.md and code instruct the agent/user to set environment variables (EDGEIQ_EMAIL, EDGEIQ_LICENSE_KEY) and to copy files from a local ~/.openclaw/workspace path. The skill uses the user's home directory (~/.edgeiq/license.key and stripe_licenses.json) for license state. These config paths and env vars are not declared in the registry metadata (which lists no required env or config paths). The install instructions reference local paths rather than a standard package install.
Install Mechanism
No install spec is provided (instruction-only), and code appears to be pure Python stdlib. There is no remote download/install step declared in the registry metadata.
!
Credentials
Registry metadata declares no required environment variables, yet the code and SKILL.md rely on EDGEIQ_EMAIL and EDGEIQ_LICENSE_KEY for unlocking Pro/Bundle features and read/write ~/.edgeiq license files. Requesting an email env var to gate features is unexpected and not declared; the skill also implicitly requires file-system access to the user's home directory to read license state.
Persistence & Privilege
The skill persists licensing state under ~/.edgeiq (license.key and stripe_licenses.json). It does not request always:true or system-wide configuration changes, nor does it modify other skills, but the presence of local persistence was not declared in metadata and could surprise users.
What to consider before installing
This skill appears to implement the advertised OAuth checks, but several inconsistencies raise caution: (1) metadata claims no required env vars or config paths, yet the code reads environment variables (EDGEIQ_EMAIL, EDGEIQ_LICENSE_KEY) and a license file under ~/.edgeiq — the registry should declare this. (2) Licensing logic contains a hardcoded email that automatically grants 'bundle' access and multiple inconsistent purchase links/pricing across files, which reduces trust in provenance. (3) The SKILL.md suggests copying files from a local workspace and running the Python file, so verify the source before running. Before installing or running: review the two Python files yourself (you have them here); run in an isolated/sandbox environment if possible; don't export sensitive secrets or tokens into EDGEIQ_EMAIL/EDGEIQ_LICENSE_KEY; inspect network activity at runtime to ensure results aren't being exfiltrated to unexpected endpoints; and prefer acquiring tools from a trusted upstream repo or vendor (confirm the GitHub/source and owner). If you intend to use Pro features, confirm the payment links and licensing behavior directly with the author and avoid hardcoding real account credentials into environment variables the tool reads.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ewe4z2m8cmgstwtgy83y0v185hmxx
98downloads
0stars
4versions
Updated 3d ago
v1.4.0
MIT-0
@snipercat69
latest
Download

OAuth Security Checker

Skill Name: oauth-security-checker Version: 1.0.0 Category: Security / Vulnerability Assessment Price: Lifetime: $39 / Optional Monthly: $7/mo (includes all Pro features permanently) Author: EdgeIQ Labs OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Linux

What It Does

Detects OAuth 2.0 misconfigurations, security flaws, and authorization issues in web applications. Checks redirect URI validation, token endpoint security, scope permissions, PKCE support, state parameter integrity, and more.

⚠️ Legal Notice: Only test OAuth integrations you own or have explicit written authorization to audit.

Features

  • Redirect URI validation — tests for localhost, null, and wildcard misconfigs
  • State parameter check — detects missing or weak CSRF protection
  • PKCE support detection — identifies apps missing code challenge
  • Token endpoint security — checks TLS, token format, expiration
  • Scope analysis — flags overly broad permissions
  • Implicit flow detection — warns about bearer token exposure
  • Authorization server fingerprinting — identifies provider and version
  • JSON export — structured results for reporting

Tier Comparison

FeatureFreeLifetime ($39)Optional Monthly ($7/mo)
Redirect URI checks✅ (5 URIs)✅ (unlimited)✅ (unlimited)
State parameter test
PKCE detection
Token endpoint analysis
Scope permission analysis
Full OAuth provider fingerprint
JSON export

Installation

cp -r /home/guy/.openclaw/workspace/apps/oauth-security-checker ~/.openclaw/skills/oauth-security-checker

Usage

Basic scan (free tier)

python3 oauth_checker.py --url "https://example.com/oauth/authorize?client_id=YOUR_ID&redirect_uri=https://example.com/callback&response_type=code&scope=read"

Pro scan with full analysis

EDGEIQ_EMAIL=your_email@gmail.com python3 oauth_checker.py \
  --url "https://example.com/oauth/authorize?client_id=YOUR_ID&redirect_uri=https://example.com/callback&response_type=code&scope=read write" \
  --pro

JSON report output

EDGEIQ_EMAIL=your_email@gmail.com python3 oauth_checker.py \
  --url "https://example.com/oauth/authorize?client_id=YOUR_ID&redirect_uri=https://example.com/callback&response_type=code" \
  --bundle --output oauth-report.json

As OpenClaw Discord Command

In #edgeiq-support channel:

!oauth https://example.com/oauth/authorize?client_id=YOUR_ID&redirect_uri=https://example.com/callback&response_type=code&scope=read
!oauth https://example.com/oauth/authorize?client_id=YOUR_ID --pro

Parameters

FlagTypeDefaultDescription
--urlstringAuthorization URL with query params
--proflagFalseEnable Pro features
--bundleflagFalseEnable Bundle features
--outputstringWrite JSON report to file
--timeoutint10Request timeout (seconds)

Output Example

=== OAuth Security Checker ===
Target: https://example.com/oauth/authorize

  [1m[91m🔴 CRITICAL: Redirect URI allows localhost[0m
    Pattern: https://localhost/callback
    Risk: Attacker can intercept authorization codes

  [1m[93m🟡 WARNING: State parameter not detected[0m
    Risk: CSRF attack possible via authorization hijacking

  [1m[92m✔ OK: PKCE is supported[0m
    Challenge method: S256

  [1m[92m✔ OK: Token endpoint requires TLS[0m
    Version: TLS 1.2+

  [1m[93m🟡 INFO: Scopes detected: read, write, admin[0m
    Warning: 'admin' scope is overly broad

  Threat Level: HIGH — 2 issues found

Pricing

Lifetime License: $39 — your tool forever, all features included permanently. Optional Monthly: $7/mo — for those who prefer recurring billing (cancel anytime). 👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo 👉 Subscribe Monthly — $7/mo

Pro Upgrade (deprecated)

All features now included in Lifetime purchase.

Support

Open a ticket in #edgeiq-support or email gpalmieri21@gmail.com

🔗 More from EdgeIQ Labs

edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.

  • 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
  • 📸 Screenshot API — URL-to-screenshot API for developers
  • 🔔 uptime.check — URL uptime monitoring with alerts
  • 🛡️ headers.check — HTTP security headers analyzer

👉 Visit edgeiqlabs.com →

Comments

Loading comments...