ClawHub

Oidc Integration

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only helper for OIDC/OAuth login integration, with expected authentication guidance and no executable code or hidden data collection.

Reasonable to install as an auth-integration guidance skill. Because it can guide changes to login and authorization behavior, review any generated issuer, audience, scope, redirect URI, token storage, refresh, logout, CORS, and route-protection code before deploying.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description says to use the skill for '"add login" and "integrate IdP" style requests even if they do not explicitly say OIDC.' 'Add login' is broad enough to overlap with many non-OIDC authentication tasks, and the file does not provide exclusion conditions or negative examples to bound when the skill should not activate.

Credential Access

High
Category
Privilege Escalation
Content
- the backend already exists
- the frontend is same-origin with the backend
- the app does not need browser-side access tokens
- the team wants to reduce token exposure in JavaScript

### Multi-Provider Authentication
Confidence
70% confidence
Finding
access tokens

Credential Access

High
Category
Privilege Escalation
Content
- Login succeeds from a clean session.
- Callback handles success and provider error responses.
- Protected routes redirect or reject correctly.
- Expired access tokens are handled correctly.
- Refresh behavior works or fails cleanly.
- Backend rejects tokens with wrong issuer or audience.
- Logout clears local state and, when needed, signs out from the provider.
Confidence
70% confidence
Finding
access tokens

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal