Oauth Disguise
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill does not install code, but it asks OpenClaw to treat Anthropic OAuth/Claude Pro tokens as API keys and persistently change model configuration.
Review carefully before installing. This skill has no executable code, but it asks you to place an Anthropic OAuth token into persistent OpenClaw configuration and use it like an API key. Use official API keys or supported OAuth flows where possible, avoid committing openclaw.json, limit the change to a specific agent if you proceed, and rotate the token if it is exposed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Anthropic/Claude account token could be used by OpenClaw as an API credential, potentially affecting account access, usage, billing, or policy compliance if the token is not intended for this use.
The skill is explicitly about repurposing OAuth/subscription tokens as API credentials instead of standard API keys, which can cross credential and authorization boundaries and gives OpenClaw delegated access through a high-impact token.
Configure Anthropic OAuth tokens (`sk-ant-oat01-*`) as working API keys ... configuring Claude Pro/Team subscription tokens for API use. NOT for: standard API keys
Prefer official Anthropic API keys or a supported OAuth flow. Only use this if the provider and your organization explicitly permit it, store the token securely, and rotate it if it may have been exposed.
Running the main example can switch OpenClaw's default model/provider and make future agent calls use the supplied token.
The documented command mutates OpenClaw environment variables, model providers, and default agent model selection. It is user-directed and purpose-aligned, but it can affect future sessions and multiple agents.
openclaw config patch '{ "env": { "vars": { "ANTHROPIC_API_KEY": "sk-ant-oat01-YOUR_TOKEN" } }, ... "agents": { "defaults": { "model": { "primary": "anthropic-official/claude-sonnet-4-20250514" } } } }'Back up your OpenClaw config first, prefer the per-agent configuration if possible, and confirm which agents will use the token before restarting the gateway.