Auth Guard
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Auth Guard is a coherent credential-check helper with disclosed API-token handling, but users should configure its credential paths and probe URLs carefully.
This skill appears purpose-aligned and not malicious. Before installing or using it, make sure each configured credential file and environment variable belongs to the intended service, each probe URL is the official HTTPS endpoint for that same service, and any HEARTBEAT.md or AGENTS.md snippets are narrow enough for future sessions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If configured incorrectly, an API token could be sent to the wrong HTTPS endpoint, but the behavior is disclosed and central to the skill’s purpose.
The helper intentionally retrieves a token from the selected environment variable or credential file and uses it for an authenticated API probe.
KEY="$(get_key || true)" ... curl ... -H "Authorization: Bearer $KEY" "$URL"
Use only service-specific environment variables and credential files, and verify that each probe URL belongs to the same service as the credential.
A mistaken or overly broad configuration could make the helper test credentials against an unintended endpoint.
The skill relies on a user- or agent-supplied URL for the auth probe; the document gives a safety limit, while the script enforces HTTPS but not service-domain matching.
Keep probe URLs scoped to the target service auth endpoint.
Before adding a startup check, confirm the endpoint domain and path are the official auth-check endpoint for the intended service.
Future agent runs may continue following the added auth-helper policy even after the original task is complete.
The skill recommends adding persistent agent-facing policy text, which can influence future sessions and automation.
Add short policy lines to HEARTBEAT.md / AGENTS.md that ban bypassing helper scripts.
Keep added HEARTBEAT.md or AGENTS.md rules service-specific, review them periodically, and remove them if the integration is no longer needed.