OpenBotAuth
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for creating an agent cryptographic identity, but it handles an OpenBotAuth token, a private key, and persistent identity notes that users should treat carefully.
This looks like a legitimate instruction-only identity setup skill. Before using it, be comfortable giving the agent a short-lived OpenBotAuth token, verify the token scopes are minimal, delete the token file after registration, and protect the generated private key in ~/.config/openbotauth/key.json.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A pasted OpenBotAuth token could register agent identities tied to the user's account until it is deleted or expires.
The skill asks the agent to receive and store a bearer token with account-related scopes, then use it to register an agent identity. This is expected for the service and includes scoping/deletion guidance, but it is still sensitive delegated authority.
The OBA token lives at `~/.config/openbotauth/token` (chmod 600). ... Use it ONLY for `POST /agents` ... Minimum scopes: `agents:write` + `profile:read`
Only provide a minimally scoped token, confirm registration succeeded, and delete ~/.config/openbotauth/token afterward as the skill recommends.
Anyone who can read the key file could sign requests as that agent identity.
The skill creates and stores an Ed25519 private key that represents the agent's cryptographic identity. This is core to the stated purpose and stored under a scoped config directory with chmod guidance, but compromise of the file would compromise the identity.
Keys are stored at `~/.config/openbotauth/key.json` ... `privateKeyPem`: `-----BEGIN PRIVATE KEY-----\n...`
Keep the key file private, avoid sharing it, and rotate or delete the identity if the file may have been exposed.
The agent may remember and reuse the registered identity information across sessions.
The skill explicitly asks for persistent agent memory/notes. The named data appears to be registration metadata rather than the private key or bearer token, but persistent identity context can be reused in later tasks.
Agent registration info (agent_id, JWKS URL) should be saved in agent memory/notes after Step 3.
Store only non-secret registration details in memory, and do not save the bearer token or private key in agent notes.
Running the setup commands will create local configuration files and later contact the OpenBotAuth API for registration.
The skill relies on local shell/Node commands to generate and store keys. This is disclosed and central to the identity setup workflow, with no visible hidden package install or obfuscation.
Tools\n\nBash ... Run this locally. Nothing leaves the machine. ... `node -e "... crypto.generateKeyPairSync('ed25519') ... fs.writeFileSync(... 'key.json' ... )`Review commands before running them and ensure they write only to ~/.config/openbotauth as documented.