ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claude Connect

Connect Claude to Clawdbot instantly and keep it connected 24/7. Run after setup to link your subscription, then auto-refreshes tokens forever.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
12 · 4.9k · 24 current installs · 25 all-time installs
by@TunaIssaCoding
duplicate of @TunaIssaCoding/claude-oauth-refresher-final
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description promise (connect Claude to Clawdbot and auto-refresh tokens) aligns with the actual scripts: they read Keychain entries, call the OAuth endpoint, update ~/.clawdbot/agents/.../auth-profiles.json, and install a launchd job. Minor inconsistency: many docs/scripts refer to a 'claude-oauth-refresher' name while the registry entry is 'claude-connect', and README.md declares the repo deprecated — this naming/ageing mismatch is confusing but plausibly explained by a rename or deprecation notice.
!
Instruction Scope
Runtime instructions and shipped scripts explicitly read macOS Keychain credentials, parse ~/.clawdbot/clawdbot.json, may call clawdbot CLI (e.g., message search) to auto-detect notification targets, write to auth-profiles.json, update Keychain, and restart the gateway. Those actions are consistent with the stated feature set, but they are high-privilege and touch sensitive local data (tokens, chat IDs, messaging history via CLI). The auto-detection step that runs clawdbot message search may access local messages/metadata; confirm you are comfortable with those reads and any CLI output parsing before running.
Install Mechanism
There is no external install spec (no network download); installation is via the included install.sh script (shipped in the skill). That reduces supply-chain risk from remote downloads but means you must inspect the shipped scripts before execution. The package writes a launchd plist into ~/Library/LaunchAgents and creates config/log files under $HOME — expected for this use but persistent.
!
Credentials
The registry lists no env vars (correct), but the skill needs access to macOS Keychain and to read/write Clawdbot configuration files. Those accesses are proportionate to the goal (refreshing tokens), but they are sensitive: the scripts will read refresh/access tokens and will write OAuth credentials into Clawdbot's auth-profiles.json and Keychain. The skill does not request unrelated credentials, but you should verify Keychain identifiers used and ensure no unexpected network endpoints are contacted beyond auth.anthropic.com and local Clawdbot CLI.
!
Persistence & Privilege
The installer creates a launchd job that runs every 2 hours to refresh tokens — persistent background presence is intentional for the feature. always:false (normal), but persistent auto-refresh combined with Keychain access increases blast radius if the code were malicious or later modified. The SKILL.md includes uninstall steps and a verify/validate script, which is good; still review the launchd plist and scripts before enabling.
What to consider before installing
This package appears to implement exactly what it says (reading Keychain, refreshing Claude OAuth, writing Clawdbot auth profiles, and installing a launchd refresher), but it is persistent and touches sensitive local tokens and messaging config. Before installing: 1) Inspect refresh-token.sh, install.sh, and the launchd plist for any unexpected network endpoints or commands; confirm the only external OAuth calls are to auth.anthropic.com (or other expected endpoints). 2) Back up ~/.clawdbot/agents/.../auth-profiles.json and your Keychain entries. 3) If you don't need it: README notes Clawdbot may already handle this natively — consider using the native feature instead. 4) If you proceed, run install.sh interactively and verify validate-update.sh / verify-setup.sh outputs; after installation, check ~/Library/LaunchAgents for the plist and inspect its contents. 5) If you are uncomfortable granting ongoing Keychain/config write access, do not install. If you want higher assurance, run the scripts in a controlled/test account or review them with a security-savvy colleague.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk975tadega61c91qg39e94eh057zz0qz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

claude-connect

Connect your Claude subscription to Clawdbot in one step.

Automatically:

  • ✅ Reads Claude OAuth tokens from Keychain
  • ✅ Writes them to Clawdbot in proper OAuth format
  • ✅ Auto-refreshes every 2 hours (before expiry)
  • ✅ Notifies you on success/failure
  • ✅ Works with clawdbot onboard (fixes OAuth auth-profiles bug)

Quick Start

1. Install the skill:

clawdhub install claude-connect
cd ~/clawd/skills/claude-connect

2. Ensure Claude CLI is logged in:

claude auth
# Follow the browser login flow

3. Run installer:

./install.sh

That's it! Tokens will refresh automatically every 2 hours.

What It Does

Fixes clawdbot onboard OAuth Bug

When you run clawdbot onboard --auth-choice claude-cli, it sometimes doesn't properly write OAuth tokens to auth-profiles.json.

This skill:

  1. Reads OAuth tokens from macOS Keychain (where Claude CLI stores them)
  2. Writes them to ~/.clawdbot/agents/main/agent/auth-profiles.json in proper OAuth format: 
    {
  "profiles": {
    "anthropic:claude-cli": {
      "type": "oauth",
      "provider": "anthropic",
      "access": "sk-ant-...",
      "refresh": "sk-ant-ort...",
      "expires": 1234567890
    }
  }
}
  3. Sets up auto-refresh (runs every 2 hours via launchd)
  4. Keeps your connection alive 24/7

Installation

Automatic (Recommended)

cd ~/clawd/skills/claude-connect
./install.sh

The installer will:

  • ✅ Verify Claude CLI is set up
  • ✅ Create config file
  • ✅ Set up auto-refresh job (launchd)
  • ✅ Run first refresh to test

Manual

  1. Copy example config:

    cp claude-oauth-refresh-config.example.json claude-oauth-refresh-config.json

  2. Edit config (optional):

    nano claude-oauth-refresh-config.json

  3. Test refresh:

    ./refresh-token.sh --force

  4. Install launchd job (optional - for auto-refresh):

    cp com.clawdbot.claude-oauth-refresher.plist ~/Library/LaunchAgents/
launchctl load ~/Library/LaunchAgents/com.clawdbot.claude-oauth-refresher.plist

Configuration

Edit claude-oauth-refresh-config.json:

{
  "refresh_buffer_minutes": 30,
  "log_file": "~/clawd/logs/claude-oauth-refresh.log",
  "notifications": {
    "on_success": true,
    "on_failure": true
  },
  "notification_target": "YOUR_CHAT_ID"
}

Options:

  • refresh_buffer_minutes: Refresh when token has this many minutes left (default: 30)
  • log_file: Where to log refresh activity
  • notifications.on_success: Notify on successful refresh (default: true)
  • notifications.on_failure: Notify on failure (default: true)
  • notification_target: Your Telegram chat ID (or leave empty to disable)

Usage

Manual Refresh

# Refresh now (even if not expired)
./refresh-token.sh --force

# Refresh only if needed
./refresh-token.sh

Check Status

# View recent logs
tail ~/clawd/logs/claude-oauth-refresh.log

# Check auth profile
cat ~/.clawdbot/agents/main/agent/auth-profiles.json | jq '.profiles."anthropic:claude-cli"'

# Check Clawdbot status
clawdbot models status

Disable Notifications

Ask Clawdbot:

Disable Claude refresh success notifications

Or edit config:

{
  "notifications": {
    "on_success": false,
    "on_failure": true
  }
}

How It Works

Refresh Process

  1. Read from Keychain: Gets OAuth tokens from Claude Code-credentials
  2. Check Expiry: Only refreshes if < 30 minutes left (or --force)
  3. Call OAuth API: Gets new access + refresh tokens
  4. Update auth-profiles.json: Writes proper OAuth format
  5. Update Keychain: Syncs new tokens back
  6. Restart Gateway: Picks up new tokens
  7. Notify: Sends success/failure message (optional)

Auto-Refresh (launchd)

Runs every 2 hours via ~/Library/LaunchAgents/com.clawdbot.claude-oauth-refresher.plist

Controls:

# Stop auto-refresh
launchctl unload ~/Library/LaunchAgents/com.clawdbot.claude-oauth-refresher.plist

# Start auto-refresh
launchctl load ~/Library/LaunchAgents/com.clawdbot.claude-oauth-refresher.plist

# Check if running
launchctl list | grep claude

Troubleshooting

OAuth not working after onboard

Symptom: clawdbot onboard --auth-choice claude-cli completes but Clawdbot can't use tokens

Fix:

cd ~/clawd/skills/claude-connect
./refresh-token.sh --force

This will write tokens in proper OAuth format.

Tokens keep expiring

Symptom: Auth keeps failing after 8 hours

Fix: Ensure launchd job is running:

launchctl load ~/Library/LaunchAgents/com.clawdbot.claude-oauth-refresher.plist
launchctl list | grep claude

No tokens in Keychain

Symptom: No 'Claude Code-credentials' entries found

Fix: Log in with Claude CLI:

claude auth
# Follow browser flow

Then run refresh again:

./refresh-token.sh --force

Uninstall

cd ~/clawd/skills/claude-connect
./uninstall.sh

Or manually:

# Stop auto-refresh
launchctl unload ~/Library/LaunchAgents/com.clawdbot.claude-oauth-refresher.plist
rm ~/Library/LaunchAgents/com.clawdbot.claude-oauth-refresher.plist

# Remove skill
rm -rf ~/clawd/skills/claude-connect

Upgrade

If you previously installed an older version:

cd ~/clawd/skills/claude-connect
./validate-update.sh  # Check what changed
clawdhub update claude-connect  # Update to latest
./install.sh  # Re-run installer if needed

See Also

Version: 1.1.0
Author: TunaIssaCoding
License: MIT
Repo: https://github.com/TunaIssaCoding/claude-connect

Files

19 total
Select a file
Select a file to preview.

Comments

Loading comments…