ClawHub

ClawHub Login Helper

v1.0.0

帮助无头服务器通过手动 OAuth 流程登录 ClawHub,生成授权 URL 并验证回调完成认证,避免浏览器启动失败。

0· 352·2 current·2 all-time
by@mengwuzhi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md and the script implement a headless/manual OAuth helper for ClawHub and the script calls the external 'clawhub' CLI via subprocess.run. However the skill metadata declares no required binaries or credentials. The script clearly requires a functional 'clawhub' binary in PATH for core functionality; that mismatch is inconsistent and should have been declared.
Instruction Scope
The SKILL.md instructions align with the intended purpose: generate an auth URL, have the user open it locally, paste the callback URL, and check for the token at ~/.clawhub/token. The instructions do not ask the agent to read unrelated files or exfiltrate data. They do rely on invoking the 'clawhub' CLI and on the presence/content of ~/.clawhub/token and ~/.config/clawhub/config.json (documented).
Install Mechanism
No install spec — this is instruction-only plus a helper script. Nothing is downloaded or installed by the skill itself, which reduces supply-chain risk. The only code present is the included Python script.
Credentials
The skill requests no environment variables or secrets. It checks DISPLAY to detect headless mode and reads/writes the user's home token file (~/.clawhub/token) and may remove it on logout. The main proportionality concern is that it calls an external 'clawhub' binary (not declared), so the security posture depends on whether that binary is trusted and genuine.
Persistence & Privilege
The skill is not always-on and does not request elevated privileges. It does not modify other skills or system-wide agent settings. It will read and occasionally delete the user's local token file (~/.clawhub/token) as part of normal operation.
What to consider before installing
This skill's code matches its stated purpose, but be aware of two issues before installing: (1) the helper runs the 'clawhub' CLI (subprocess.run(['clawhub', ...])) yet the metadata lists no required binaries — ensure you have a legitimate, trusted 'clawhub' binary on the agent. A malicious or tampered 'clawhub' executable could perform arbitrary actions when invoked. (2) The script reads/writes your local token at ~/.clawhub/token and can delete it on logout — treat that token like a password. Recommendations: inspect the included Python script (already present), verify the origin and checksum of your 'clawhub' CLI, run the skill in a restricted user account or sandbox if uncertain, and do not install if you cannot verify the 'clawhub' binary's integrity.

Like a lobster shell, security has layers — review code before you run it.

authvk9752k6ed09hcc5temepfybq0n821b5qclivk9752k6ed09hcc5temepfybq0n821b5qlatestvk9752k6ed09hcc5temepfybq0n821b5qloginvk9752k6ed09hcc5temepfybq0n821b5qoauthvk9752k6ed09hcc5temepfybq0n821b5q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

clawhub-login

ClawHub OAuth 登录助手 - 无头服务器专用

version: 1.0.0
author: 大总管
description: 帮助在无头服务器上通过 OAuth 方式登录 ClawHub,解决浏览器认证问题

问题场景

在无头服务器(无浏览器)上使用 clawhub login 时:

  • 默认会尝试打开浏览器 → 失败 (spawn xdg-open ENOENT)
  • 需要手动获取授权 URL → 在本地浏览器打开 → 完成认证

本 skill 自动化这个流程。

使用方法

方式 1:交互式(推荐)

python3 ~/.openclaw/workspace/skills/clawhub-login/scripts/clawhub_login.py

按提示操作:

  1. 复制输出的授权 URL
  2. 在本地浏览器打开
  3. 授权后复制回调 URL
  4. 粘贴到服务器完成登录

方式 2:命令行

# 获取授权 URL
python3 ~/.openclaw/workspace/skills/clawhub-login/scripts/clawhub_login.py --get-url

# 验证登录状态
python3 ~/.openclaw/workspace/skills/clawhub-login/scripts/clawhub_login.py --check

# 退出登录
python3 ~/.openclaw/workspace/skills/clawhub-login/scripts/clawhub_login.py --logout

完整流程

步骤 1:运行脚本

$ python3 scripts/clawhub_login.py

🔐 ClawHub OAuth 登录助手

检测到无头环境,使用手动授权模式...

1. 打开以下 URL(复制到本地浏览器):
   https://clawhub.ai/cli/auth?redirect_uri=...&state=xxx

2. 授权后,复制浏览器显示的 URL

3. 粘贴回调 URL:

步骤 2:在本地浏览器打开 URL

  • 点击授权
  • 浏览器会跳转到回调页面
  • 复制完整的回调 URL

步骤 3:粘贴到服务器

粘贴回调 URL:https://clawhub.ai/cli/auth/callback?code=xxx&state=xxx

✅ 登录成功!欢迎 @mengwuzhi

在 OpenClaw 中使用

# 让 agent 帮你登录
openclaw agent --message "帮我登录 ClawHub"

Agent 会:

  1. 运行 clawhub login 获取授权 URL
  2. 输出 URL 让你复制到本地浏览器
  3. 等待你提供回调 URL
  4. 完成登录

技术原理

ClawHub 使用 OAuth 2.0 流程:

1. CLI 生成授权 URL(含 state 参数)
   ↓
2. 用户在浏览器打开并授权
   ↓
3. ClawHub 重定向到回调 URL(含 code)
   ↓
4. CLI 用 code 交换 token
   ↓
5. Token 保存到 ~/.clawhub/token

故障排查

问题:xdg-open ENOENT

原因: 无头服务器没有图形界面

解决: 使用本 skill 的手动授权模式

问题:回调 URL 无效

原因: 授权已过期或 state 不匹配

解决: 重新运行脚本获取新的授权 URL

问题:登录状态丢失

原因: Token 文件被删除或过期

解决: 重新登录

相关文件

文件路径
Token 存储~/.clawhub/token
Token 配置~/.config/clawhub/config.json

安全提示

  • ⚠️ Token 相当于密码,不要分享
  • ⚠️ 定期更新 Token(重新登录)
  • ⚠️ 不要在公共电脑上保存 Token

基于实战经验

本 skill 基于 2026-02-28 在无头服务器上登录 ClawHub 发布 create-openclaw-agent skill 的实战经验总结。

许可证

MIT License

作者备注: 这是第一个专门解决 ClawHub 无头登录问题的 skill。

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…