ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Max Auth

v2.2.0

Security authentication gate for OpenClaw sensitive actions. Deploys a local Node.js auth server with biometric passkeys (WebAuthn/Touch ID/Face ID) and mast...

0· 389·2 current·2 all-time
byFelipe Matos@felipematos
Security Scan
Capability signals
CryptoRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and package.json clearly require Node.js (and instruct running npm install), but the registry metadata lists no required binaries; that is an incoherence. The declared purpose (local auth server with WebAuthn and one-time secret forms) does explain the files present and the npm dependency, but the metadata omission could mislead automatic guards or users.
Instruction Scope
Runtime instructions are focussed on deploying a local auth server: copying files to ~/.max-auth, running npm install, setting a master password, and starting the server. The instructions intentionally write persistent files under ~/.max-auth (password hash, session, passkeys, audit log) which is consistent with an auth server. The docs also show examples to expose the server via reverse proxies and Tailscale — exposing the server to networks increases risk and requires careful configuration. SKILL.md claims one-time secret values are memory-only; I could not fully verify this because the bundled JS was truncated in the listing.
Install Mechanism
There is no formal install spec; installation is manual (copy files, npm install). The package.json pulls @simplewebauthn/server from npm — a normal dependency for WebAuthn. Because installation is user-run (npm install), there is no direct download-from-arbitrary-URL risk, but users must be aware npm will fetch packages from the registry.
Credentials
The skill declares no required environment variables in registry metadata, yet the code reads optional env vars (AUTH_PORT, RP_ID, RP_ORIGIN). No unrelated credential values are requested. However, code attempts to run a child_process to call 'tailscale status --json' to determine RP_ID: this probes system state outside the described auth-server core (it’s a convenience for auto-detecting an origin but is an unexpected side-effect).
Persistence & Privilege
The server persists configuration and logs under the user's home (~/.max-auth) and the documentation includes a systemd example for persistent running under the user account. It does not request system-wide privileges by default (no always: true). Running it as a system service or exposing it through a reverse proxy/Tailscale raises additional risk but is an explicit operator choice in the docs.
What to consider before installing
This skill appears to implement a local auth server that needs Node.js and npm, but the registry metadata omitted the Node requirement — don't rely on the metadata alone. Before installing: (1) review the full auth-server.js (the listing was truncated) to confirm one-time secrets truly stay in memory and are not written to disk; (2) be cautious about exposing the server externally (reverse proxy or Tailscale examples) — only expose it with correct HTTPS and access controls; (3) note the code runs a local shell command ('tailscale status') if available — ensure your PATH and local binaries are trusted; (4) run npm install in an isolated environment (container or dedicated user) if you want to limit blast radius; (5) confirm you are comfortable with files created in ~/.max-auth (password hash, passkeys, audit log). If anything looks unexpected in the missing portions of auth-server.js, do not install or run it until clarified.
assets/auth-server.js:44
Shell command execution detected (child_process).
assets/auth-server.js:25
Environment variable access combined with network send.
!
assets/auth-server.js:201
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976p683pt41mt93e5az5s0gj185ad24
389downloads
0stars
6versions
Updated 1h ago
v2.2.0
MIT-0
Felipe Matos@felipematos
latest
Download

Max Auth

A lightweight self-hosted authentication server for OpenClaw. It protects sensitive agent actions with biometric passkeys and a master password, supports independent auth per session/channel, and can collect secrets via one-time HTTPS forms so credentials never need to appear in chat.

Features

  • 🔑 Biometric passkeys via WebAuthn
  • 🔐 Master password using PBKDF2 + salt
  • ⏱ 2-hour session tokens
  • 🔒 Session-scoped auth per sessionKey (telegram:6314900956, discord:channel:123, etc.)
  • 🔗 Delegated grants between sessions
  • 🧾 Audit log at ~/.max-auth/audit.log
  • 🌍 Browser UI localized in Portuguese, English, and Spanish
  • 🕳️ One-time secure secret forms (request_secret / retrieve_secret)
  • 🔌 OpenClaw plugin tools: check_auth, require_auth, request_secret, retrieve_secret

Requirements

  • Node.js 18+
  • HTTPS reverse proxy in front of the local auth server for WebAuthn browser flows

Quick Setup

mkdir -p ~/.max-auth && cd ~/.max-auth
cp <skill-path>/assets/auth-server.js .
cp <skill-path>/assets/package.json .
npm install

node auth-server.js set-password 'your_strong_password'
node auth-server.js

By default the server runs on 127.0.0.1:8456. Use references/api.md for systemd, proxying, and HTTP API details.

Session-scoped auth

Each channel/session has its own auth state.

Examples:

  • telegram:6314900956
  • discord:channel:1488653811185881133
  • global

Typical check:

curl -s "http://127.0.0.1:8456/status?session=telegram%3A6314900956"

If auth is missing, direct the user to:

https://your-host/auth?session=telegram%3A6314900956

Secure secret handoff

Use this when the user needs to give a password/token/API key without leaking it into chat.

Flow:

  1. Agent calls request_secret with a label + field definitions
  2. User opens the returned HTTPS URL and submits the form in the browser
  3. Agent polls with retrieve_secret
  4. Values are returned once and then consumed/deleted from memory

The values are stored in memory only, expire automatically, and are not written to the chat transcript.

When to require auth

Require auth before:

  • deleting files/data
  • package installs
  • system configuration changes
  • sending messages/emails to third parties
  • mutating external APIs

Do not require auth for ordinary read/search/list/fetch operations.

References

  • references/api.md — setup + HTTP API
  • references/integration.md — agent integration patterns

Comments

Loading comments...