ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

a2a-Market-Google-OAuth

Handle Google OAuth login, account linking, and session bootstrap for A2A market users and operators. Use when implementing identity login endpoints, callbac...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 28 · 0 current installs · 0 all-time installs
by@luoqianchenguni-max
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes implementing Google OAuth (authorization code flow, token exchange, refresh tokens, session bootstrap). A legitimate OAuth integration requires provider credentials (client_id, client_secret), redirect URIs, storage for tokens, and configuration. The skill metadata declares no required environment variables, secrets, or config paths — that's inconsistent with the stated purpose.
!
Instruction Scope
Instructions are fairly specific about endpoints, state/nonce validation, hashing refresh tokens, and emitting audit and session events. They also claim a local runtime implementation and list primary code paths (runtime/src/... and npm test), but no code is packaged and no install steps are provided. Emitting audit/log and WebSocket events implies integration with infrastructure or credentials that are not declared.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. That minimizes on-disk install risk, but it also means the SKILL.md is the only behavioral surface — which heightens the importance of consistency between instructions and declared requirements.
!
Credentials
No environment variables or primary credential are declared, yet OAuth needs at minimum a Google client ID and client secret, plus likely storage/access creds for session/token storage and event/audit systems. The absence of declared secrets is disproportionate and unexplained.
Persistence & Privilege
always is false and there is no claim the skill will persistently modify agent/system settings. No evidence of elevated privileges or forced inclusion.
What to consider before installing
This package reads like a scaffold/README rather than a runnable skill; it describes OAuth flows and references runtime code and tests that are not included. Before installing or using it: 1) ask the author for the source repository or homepage and for the actual runtime code mentioned in SKILL.md; 2) confirm which environment variables (Google client_id/client_secret, token storage creds, audit/event endpoints) the skill will need and where they will be stored; 3) require that secrets be kept out of skill package and provided explicitly via secure platform credential storage; 4) inspect any runtime code and tests for safe handling of tokens, nonce/state validation, and event emissions; 5) avoid granting the skill broad agent/system access until you can verify its implementation and the minimal set of credentials it actually needs. If the owner provides matching code and explicit env var declarations for only the expected OAuth items, the coherence concern can be resolved.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.2.0
Download zip
latestvk97cnyc0x2q5g8cj8mbeymzxcx836m2m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

a2a-Market Google OAuth

Create a stable OAuth integration shell for buyer and merchant sign-in.

Current status: publish-ready scaffold. Keep flows explicit and deterministic before full SSO hardening.

Scope

  • Implement Google OAuth authorization code flow.
  • Link external identity to internal Agent/Operator profile.
  • Bootstrap session token and refresh workflow after callback.

Suggested Project Layout

  • app/integrations/oauth/google_client.py
  • app/interfaces/api/auth_routes.py
  • app/application/services/session_service.py
  • app/protocol/identity/user_identity_mapper.py

Minimum Contracts (MVP P0)

  1. GET /auth/google/start builds state + redirect URL.
  2. GET /auth/google/callback validates state and exchanges code.
  3. upsert_identity(provider, provider_user_id, email) returns internal principal id.
  4. create_session(principal_id) returns short-lived access token and refresh token.

Security Baseline

  • Validate state and nonce against server-side cache.
  • Reject callback if issuer/audience do not match configuration.
  • Store only hashed refresh tokens and rotate on use.

Events

  • Emit login event to audit log stream.
  • Emit session-created event for WebSocket presence bootstrap.

Implementation Backlog

  • Add account merge flow for duplicate emails across providers.
  • Add step-up verification for risky sessions.

Runtime Implementation

  • Status: implemented in local runtime package.
  • Primary code paths:
  • runtime/src/integrations/oauth/google-oauth-service.js
  • Validation: covered by runtime/tests and npm test in runtime/.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…