ClawHub

User-Delegated OAuth API Access

v1.0.6

Let agents request OAuth access from end users via short links, continue working asynchronously, and later claim reusable third-party API tokens from local k...

0· 619·1 current·1 all-time
byHagen Hoferichter@h4gen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, the required binary (clawauth), and the included installer metadata all align: this is an OAuth handover helper that expects a preinstalled CLI and an operator-managed install path. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are narrowly scoped to running the clawauth CLI commands (start/status/claim/etc.), parsing JSON, and avoiding token leakage. The skill explicitly forbids running package installs from the agent and warns not to paste tokens to chat/logs. This is coherent, but it relies on the agent/operator to enforce secret-handling rules—accidental token exposure via logs or chat would be a real operational risk.
Install Mechanism
Installer metadata points to an npm package ('clawauth') which is an expected and traceable mechanism for a CLI. npm installs are a moderate-risk install vector; the SKILL.md recommends operator-side preinstallation and pinning. No ad-hoc or unknown URL downloads are instructed by the skill itself.
Credentials
The skill requests no environment variables or credentials in its metadata. The only notable side-effect is that claimed tokens are stored in the local system keychain by the CLI—this is plausible and proportionate to the stated purpose, but requires operators to accept local keychain writes.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high-privilege requests.
Assessment
This skill is internally consistent for providing an async OAuth handoff via a CLI, but before installing: 1) Review the clawauth npm package and its GitHub source (the SKILL.md points to a repo) and pin an approved version; 2) Ensure the operator pre-installs the CLI into a trusted runtime image (avoid agent-run npm installs); 3) Confirm your runtime's keychain policies and that storing provider tokens locally is acceptable; 4) Make sure agents are configured to never paste CLI output containing tokenData into chat, logs, or telemetry; and 5) If you need higher assurance, run the CLI in an isolated environment and audit its network traffic (it communicates with auth.clawauth.app by default).

Like a lobster shell, security has layers — review code before you run it.

latestvk973yzkaq89teyr698qk44m82n819gps

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Binsclawauth

Install

Install clawauth CLI (node)
Bins: clawauth
npm i -g clawauth

Comments