ClawHub

Passkey

v1.0.0

Implement WebAuthn passkeys avoiding critical security and compatibility pitfalls.

2· 921·1 current·1 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description describe WebAuthn/passkey implementation guidance and the SKILL.md contains only high-level, implementation-appropriate recommendations (libraries to use, storage fields, UX/testing guidance). There are no unrelated requirements (no env vars, binaries, or config paths).
Instruction Scope
The instructions stay within the domain of implementing and testing passkeys (challenge handling, origin validation, credential storage, attestation trade-offs, cross-device UX, testing). They do not instruct reading unrelated files, exfiltrating data, or calling external endpoints beyond recommending libraries and browser testing tools.
Install Mechanism
No install spec or code files are present; this is instruction-only, so nothing is written to disk or fetched during install.
Credentials
The skill declares no environment variables, credentials, or config paths. The recommendations about storing credential ID/public key/sign count are appropriate for the stated purpose and do not require extra secrets or platform credentials.
Persistence & Privilege
The skill is not forced-always, is user-invocable, and does not request persistent system privileges or modify other skills' configuration.
Assessment
This skill is a coherent, low-risk set of best-practice notes for implementing WebAuthn; it contains no installers, code, or secret requests. Before relying on it: (1) verify recommended libraries and their current security posture (versions and recent CVEs) rather than blindly copying snippets; (2) pay attention to details the guidance skirts (attestation policy, backup/recovery flows, privacy/consent, legal/compliance requirements); (3) ensure any code you or the agent produce based on this guidance follows secure storage and transport practices (e.g., protect databases and backups holding credential IDs/public keys, use HTTPS and strict origin checks); and (4) include independent code review and automated tests (the SKILL.md itself recommends CI virtual authenticators). Overall this skill is informational and appropriate to install, but treat it as guidance — validate library sources and test thoroughly before deploying to production.

Like a lobster shell, security has layers — review code before you run it.

latestvk972wjszkshk9j4htkf1t4mh7s80wf7e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
OSLinux · macOS · Windows

Comments