ClawHub

Account & Authentication

v1.0.1

Account signup, login via email/OTP/wallet/biometric, token refresh, password reset, and session management.

0· 214·0 current·0 all-time
by@d9m1n1c
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (signup, login, session management, password reset, wallet linking) match the listed API endpoints and flows. All declared requirements (only AIOT_API_BASE_URL) are relevant to contacting the API. The only minor oddity is that the registry metadata marks the base URL as the "primary credential" even though a URL is not a secret credential; this appears to be a labeling choice rather than a functional mismatch.
Instruction Scope
SKILL.md provides specific HTTP endpoint flows (send OTP, verify OTP, signup, login, refresh, etc.) and explicitly confines behavior to those flows. Instructions do not ask the agent to read local files or unrelated environment variables, nor to transmit data to endpoints outside the documented API base URL. The guidance about never logging or persisting secrets is appropriate, though an instruction-only skill cannot technically enforce runtime logging policies.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only which minimizes on-disk risk. Nothing is downloaded or executed automatically.
Credentials
The skill only requires AIOT_API_BASE_URL, which is proportionate to an API client. Note: the registry marks that variable as a "primary credential" even though it is just a URL (not a secret). There are no requests for unrelated secrets or credentials.
Persistence & Privilege
always:false and no install-time persistence are present. The skill does not request permanent system presence or attempt to modify other skills or system configuration. The default ability for the agent to invoke the skill autonomously is normal and not by itself a concern.
Assessment
This skill appears internally consistent, but review these practical checks before installing: 1) Verify the API base URL (default: https://payment-api-dev.aiotnetwork.io) is a trusted endpoint for your use — consider overriding AIOT_API_BASE_URL for production to a verified domain and ensure HTTPS/TLS is enforced. 2) The variable labeled as a "primary credential" is just a URL; no secrets are requested by the skill, but the API itself will handle authentication (tokens/OTP) — ensure the agent runtime will not persist or log tokens or passwords. 3) Because this is an instruction-only skill with autonomous invocation allowed, confirm you trust the skill owner and the API service before allowing agent-initiated auth flows. 4) If you need stronger safeguards, restrict the skill from running autonomously or audit network calls to the API during initial use. If you want more assurance, request the skill's source or an official homepage from the publisher before using it in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk9724z164ywmz6x90453896kps8393r1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvAIOT_API_BASE_URL
Primary envAIOT_API_BASE_URL

Comments