ClawHub

Auth Guard

v1.1.1

Standardize API credential handling and startup auth checks to prevent "missing key" regressions across sessions. Use when an agent repeatedly loses auth sta...

0· 285·3 current·3 all-time
byAda Vale@adainthelab
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, examples, SKILL.md, and scripts all focus on performing an auth probe for protected endpoints and establishing helper scripts. The included script accepts a service name, probe URL, env-var name, and credentials file — exactly what an auth-check tool needs. No unrelated resources (cloud creds, extra binaries, or external services) are requested.
Instruction Scope
Runtime instructions and the provided script limit actions to reading an env var or a credentials JSON (under ~/.config/*), probing an HTTPS endpoint with curl, and returning a short status string. The SKILL.md explicitly warns against logging secrets and against pointing cred-file at arbitrary workspace files. There is no instruction to collect or transmit secrets elsewhere.
Install Mechanism
No install spec; this is instruction-only with one included helper script. Nothing is downloaded or written by an installer. Risk is limited to executing the provided script (which the user can review).
Credentials
The registry metadata declares no required env vars or primary credential. The script takes an env-var name as a parameter and checks a credentials file path supplied at runtime; it does not demand unrelated secrets. It also enforces that credential files must live under $HOME/.config/, reducing the chance of reading arbitrary workspace secrets.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent or elevated privileges, nor does it modify other skills' configs. It asks users to place helper scripts in workspace/.pi/, which is normal for helper tooling and something the user should review before executing.
Assessment
This skill appears coherent and limited to auth-probing behavior. Before installing or running: (1) review the included scripts in skills/auth-guard/scripts/auth_check.sh and any helper templates you copy into workspace/.pi/ so you understand what will be executed; (2) only pass probe URLs you trust and that belong to the target service (the script requires https://); (3) keep credential files under ~/.config/ as advised and ensure those files have appropriate filesystem permissions; (4) when adding the helper to HEARTBEAT.md/AGENTS.md, ensure teammates know the canonical retrieval order (env var first) so no automation unintentionally loses access; (5) if you plan to use helper scripts that read other local credential formats (e.g., gh/gh auth), integrate those carefully rather than pointing --cred-file at arbitrary workspace files.

Like a lobster shell, security has layers — review code before you run it.

authvk978czqrvddas2x119knybjpy182bajmautomationvk97cxqvtq6xnjyaynmh4afh1xx82b2q3hardeningvk978czqrvddas2x119knybjpy182bajmheartbeatvk97cxqvtq6xnjyaynmh4afh1xx82b2q3latestvk978czqrvddas2x119knybjpy182bajmreliabilityvk978czqrvddas2x119knybjpy182bajmsecurityvk978czqrvddas2x119knybjpy182bajmsession-persistencevk97cxqvtq6xnjyaynmh4afh1xx82b2q3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Auth Guard

Enforce a deterministic auth path: one credential source, one helper command path, one startup check, one fallback policy.

Quick Workflow

  1. Identify the target service endpoint and current failing flow.
  2. Define canonical credential source (env var first, credentials file second).
  3. Create/update a helper script in workspace (.pi/) that always injects auth.
  4. Add a startup/auth-check command that verifies credentials and endpoint access.
  5. Update HEARTBEAT.md or AGENTS.md to require helper usage (ban raw unauthenticated calls).
  6. Add explicit fallback behavior for unauthorized states.

Rules to Apply

  • Prefer ENV_VAR override, then ~/.config/<service>/credentials.json.
  • Never embed secrets in logs, memory notes, or chat responses.
  • Never call protected endpoints via raw curl if a helper exists.
  • Keep fallback behavior explicit and low-noise.
  • Store helper scripts in workspace/.pi/ for easy reuse.

Runtime Requirements

  • bash
  • curl
  • python3

Check once before using this skill:

command -v bash curl python3 >/dev/null

Safety Limits

  • Pass only trusted credential paths under ~/.config/<service>/... by default.
  • Do not point --cred-file at arbitrary workspace files or unrelated secret stores.
  • Keep probe URLs scoped to the target service auth endpoint.

Startup Auth Check Pattern

Run at session start (or before heartbeat loops):

bash skills/auth-guard/scripts/auth_check.sh \
  --service moltbook \
  --url 'https://www.moltbook.com/api/v1/feed?sort=new&limit=1' \
  --env-var MOLTBOOK_API_KEY \
  --cred-file "$HOME/.config/moltbook/credentials.json"

Expected outcomes:

  • AUTH_OK → proceed with normal authenticated helper flow.
  • AUTH_MISSING or AUTH_FAIL_* → use defined fallback path and record one concise note.

Reusable Snippets

Use drop-in policy snippets from:

  • references/snippets.md (HEARTBEAT + AGENTS + helper policy blocks)

References

  • references/contract.md for the full Keychain Contract pattern
  • references/snippets.md for ready-to-paste operational snippets
  • references/examples.md for multi-service usage examples (Moltbook, GitHub, Slack)

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…