botauth
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill transparently helps an agent use a local botauth vault, but it can request approved access to sensitive API keys, tokens, and passwords.
Use this skill only if you trust the botauth CLI and want the agent to request vault secrets for tasks. Keep the vault locked when not needed, approve only expected secret requests, and avoid writing retrieved secrets to long-lived files unless necessary.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, the agent may receive API keys, tokens, or passwords and use them in the current task, including exporting them to environment variables or writing configuration.
The skill is explicitly designed to access secrets from a user vault, which is sensitive delegated authority even though it is purpose-aligned and disclosed.
Use `botauth` to securely retrieve API keys, tokens, and credentials from the user's botauth vault. The desktop app must be running, the vault must be unlocked
Only approve requests for secrets that are needed for the current task, review desktop approval prompts carefully, and avoid broad list/search access if you do not want the agent to see vault metadata.
A compromised or unexpected botauth CLI package would handle sensitive vault interactions outside the reviewed skill text.
The skill depends on an external globally installed npm CLI package that is not included in the artifacts, so its implementation and provenance are outside this review.
npm install -g @botauth/cli
Install the CLI only from a trusted source, verify the package name and publisher, and prefer a pinned or otherwise verified version when possible.