Scalekit Agent Auth
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: scalekit-agent-auth Version: 2.4.2 The skill bundle is classified as suspicious primarily due to the inclusion of the `--get-authorization` command in `tool_exec.py`, which explicitly retrieves and prints raw OAuth access and refresh tokens. While `SKILL.md` contains instructions advising the agent to avoid this command, its presence in a tool designed for AI-driven execution creates a high risk of credential exfiltration via prompt injection. Additionally, the `--proxy-request` feature allows for arbitrary HTTP requests to connected third-party services (e.g., Notion, Slack), which provides a powerful mechanism for unauthorized data access if the agent's logic is subverted.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could perform actions in connected SaaS tools when a request is ambiguous, potentially changing documents, sending messages, or modifying business data.
The skill is instructed to act broadly across external services, including action-taking, with no clear per-action confirmation boundary for writes or other side effects.
Use this skill whenever the user asks for information from, or wants to take an action in, a third-party tool or service... Trigger this skill any time the user's request involves an external service, integration, or data source — even if the provider is not explicitly named.
Require explicit user confirmation before write, send, delete, publish, or administrative actions, and narrow invocation rules to named providers and clearly identified accounts.
If used incorrectly, the agent may make broad API calls through a connected account, including mutating requests or uploads/downloads that were not constrained by a provider-specific tool schema.
The code exposes a direct proxied HTTP request path with caller-controlled method, path, body, headers, and file input/output, which can bypass safer schema-defined tool workflows.
def proxy_request(... path: str, method: str = "GET", query_params: dict = None, body: dict = None, output_file: str = None, input_file: str = None, extra_headers: dict = None):
Disable proxy fallback by default or require explicit user approval, allowed-method/path restrictions, and clear warnings before any non-GET request or file transfer.
A request intended for one workspace or account could be executed in another connected account.
Automatically selecting the first completed connection can use the wrong account, tenant, or workspace when multiple valid connections exist.
If multiple COMPLETED connections found → the first one is selected automatically (a warning is shown).
Prompt the user to choose among multiple completed connections and display the selected account/workspace before executing any action.
Data from connected services and user-provided tool inputs may pass through the Scalekit integration path.
The skill routes requests and results through Scalekit Connect and connected providers, which is expected for its purpose but important for users to understand.
executes tools on any connected third-party service via Scalekit Connect
Use least-privilege provider scopes, avoid connecting highly sensitive accounts unless needed, and review Scalekit's data-handling policies.
A future dependency update could affect runtime behavior or security posture.
The install uses Python dependencies with lower-bound version ranges rather than pinned versions; this is common but means future dependency versions may change behavior.
dependencies = ["protobuf>=5.29.6", "python-dotenv>=1.1.1", "scalekit-sdk-python>=2.6.1"]
Install in a trusted environment and consider using a lockfile or pinned dependency versions for production use.