Oauth Debugger
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only OAuth debugging skill is purpose-aligned, but it asks users to handle real OAuth secrets and tokens, so outputs and commands should be reviewed carefully.
Install only if you are comfortable letting the agent guide OAuth debugging. Treat all client secrets, authorization codes, access tokens, and refresh tokens as sensitive; use staging credentials where possible, verify AUTH_DOMAIN before any curl command, and redact outputs before sharing them.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If variables are set incorrectly, OAuth secrets or tokens could be sent to the wrong endpoint or exposed in command output.
The skill instructs use of shell curl commands to call OAuth token endpoints. This is expected for an OAuth debugger, but users should verify the domain and parameters before running commands that transmit credentials.
curl -s -X POST "https://$AUTH_DOMAIN/oauth/token"
Run the commands only against trusted OAuth provider domains, preferably in a test environment, and review command parameters before execution.
Client secrets, authorization codes, access tokens, and refresh tokens may allow account or API access if revealed or reused.
The documented flows use sensitive OAuth credentials and tokens. This is central to the skill’s debugging purpose, but those values can grant access to protected accounts or APIs.
-d "client_secret=$CLIENT_SECRET" ... -d "refresh_token=$REFRESH_TOKEN"
Use least-privilege test clients when possible, avoid sharing raw command output, redact tokens before pasting logs, and rotate or revoke credentials after debugging if exposure is possible.