oauth-coder-bridge
v1.3.0Routes OpenClaw Anthropic API calls through oauth-coder (Claude CLI with OAuth), no API key needed.
⭐ 0· 60·0 current·0 all-time
byEarl Co@earlvanze
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's code, README, and SKILL.md all implement a local HTTP bridge that translates Anthropic messages to oauth-coder CLI calls to the claude binary — this matches the name/description. However, the registry metadata declared no required binaries/env vars while the script requires a local 'oauth-coder' binary (or OAUTH_CODER_BIN) to exist; that metadata omission is an inconsistency users should be aware of. The setup script also updates the user's OpenClaw config (~/.openclaw/openclaw.json) which is consistent with enabling the bridge but is a side effect that requires write access to user config.
Instruction Scope
The SKILL.md and included scripts stay within the bridge's scope: install the bridge script to ~/.openclaw/scripts, update the OpenClaw provider config to point at localhost:8787, and run a local HTTP server. The bridge accepts /v1/messages and runs oauth-coder as a subprocess to produce completions. The instructions do modify the user's OpenClaw config and suggest systemd enablement if desired; both are expected for this kind of integration. The documentation warns that prompts/responses can be logged if LOG_FILE is set.
Install Mechanism
There is no external download step in the included setup.sh — it copies the provided bridge script into ~/.openclaw/scripts and runs a local Python updater to modify openclaw.json. That is low-risk compared to remote installs. The package does not pull code from untrusted URLs during install.
Credentials
The skill does not request external API keys via registry metadata, but it requires an already-authenticated oauth-coder/claude CLI on the host. That means the bridge will cause OpenClaw requests to be fulfilled using the user's local OAuth tokens/session managed by oauth-coder/claude — this is proportional to the stated purpose but is sensitive (local credentials/tokens are used). The bridge may also log prompts/responses if LOG_FILE is set. Also, environment variables used by the code (OAUTH_CODER_BIN, OAUTH_CODER_BRIDGE_PORT, etc.) are documented in SKILL.md but not declared in registry metadata — another discrepancy.
Persistence & Privilege
The skill does install a script under ~/.openclaw/scripts and updates ~/.openclaw/openclaw.json to add a new provider. This is expected to expose the bridge to OpenClaw but it is not 'always: true' and does not force persistent installation by itself. The README/SKILL.md also suggest an optional systemd unit for auto-start; enabling that would increase persistence but is user-controlled.
Assessment
This skill is functionally coherent with its description, but review these points before installing:
- Ensure you trust and have oauth-coder and the claude CLI installed and authenticated locally (run 'claude login' yourself). The bridge will use those local OAuth tokens to answer requests — this gives OpenClaw access to use your authenticated CLI session.
- Back up ~/.openclaw/openclaw.json before running the setup script: scripts/update-openclaw-config.py will modify that file and add a 'claude-cli' provider. Confirm the exact changes match your expectations.
- Inspect the included scripts (oauth-coder-bridge.py, setup.sh, update-openclaw-config.py) yourself. The bridge runs oauth-coder as a subprocess (subprocess.run) and will execute whatever the oauth-coder binary does — trust in that binary is required.
- Be aware prompts/responses may be written to a log file if you set OAUTH_CODER_BRIDGE_LOG_FILE; by default logging goes to stderr. If you are handling sensitive prompts, avoid enabling persistent logging or ensure log file permissions are secure.
- The registry metadata omits the required oauth-coder dependency and environment variables documented in SKILL.md; treat that as an authoring oversight and verify prerequisites before install.
If you are uncertain about trusting the oauth-coder/claude CLI or do not want OpenClaw to be able to use your local OAuth session, do not install or run the bridge.Like a lobster shell, security has layers — review code before you run it.
bridgevk97aavheqqqjs02030547h49kx84facdclaudevk97aavheqqqjs02030547h49kx84facdcodingvk97aavheqqqjs02030547h49kx84facdlatestvk97aavheqqqjs02030547h49kx84facdoauthvk97aavheqqqjs02030547h49kx84facd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.