Oauth Disguise
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Anthropic/Claude account token could be used by OpenClaw as an API credential, potentially affecting account access, usage, billing, or policy compliance if the token is not intended for this use.
The skill is explicitly about repurposing OAuth/subscription tokens as API credentials instead of standard API keys, which can cross credential and authorization boundaries and gives OpenClaw delegated access through a high-impact token.
Configure Anthropic OAuth tokens (`sk-ant-oat01-*`) as working API keys ... configuring Claude Pro/Team subscription tokens for API use. NOT for: standard API keys
Prefer official Anthropic API keys or a supported OAuth flow. Only use this if the provider and your organization explicitly permit it, store the token securely, and rotate it if it may have been exposed.
Running the main example can switch OpenClaw's default model/provider and make future agent calls use the supplied token.
The documented command mutates OpenClaw environment variables, model providers, and default agent model selection. It is user-directed and purpose-aligned, but it can affect future sessions and multiple agents.
openclaw config patch '{ "env": { "vars": { "ANTHROPIC_API_KEY": "sk-ant-oat01-YOUR_TOKEN" } }, ... "agents": { "defaults": { "model": { "primary": "anthropic-official/claude-sonnet-4-20250514" } } } }'Back up your OpenClaw config first, prefer the per-agent configuration if possible, and confirm which agents will use the token before restarting the gateway.