ClawHub Login Helper
ReviewAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent ClawHub login helper, but it handles account login material and should only be used in a trusted session.
This skill is appropriate if you intentionally want a headless ClawHub login helper. Before using it, make sure the local `clawhub` CLI is trusted, treat OAuth callback URLs and `~/.clawhub/token` like passwords, and only run logout when you intend to remove the local session.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to the callback code or resulting token may be able to authenticate as the user or enable future ClawHub commands from that machine.
The skill directs the user/agent through an OAuth callback flow and documents persistent token storage. This is purpose-aligned for a login helper, but it grants a local authenticated ClawHub session.
粘贴回调 URL:https://clawhub.ai/cli/auth/callback?code=xxx&state=xxx ... Token 保存到 ~/.clawhub/token ... Token 相当于密码,不要分享
Use this only in a trusted terminal/session, verify the ClawHub URL before authorizing, do not share callback URLs or token files, and log out when the session is no longer needed.
The skill will only behave as intended if the `clawhub` CLI on PATH is the trusted official CLI.
The script relies on executing the local `clawhub` binary. This is expected for a ClawHub login helper, but the registry metadata did not declare this required binary.
subprocess.run(['clawhub', 'whoami'], capture_output=True, text=True) ... subprocess.run(['clawhub', 'login'], capture_output=True, text=True)
Install or verify the official ClawHub CLI before using the skill, and avoid running it in environments where PATH may point to an untrusted replacement binary.