ClawDirect Dev
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only developer guide, but its auth-cookie template should be hardened before production use.
This skill appears safe to install as an instruction-only developer guide, but do not copy the auth-cookie template directly into production without adding token lifetime limits, revocation, secure cookie flags, query-string logging controls, and dependency pinning.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied without hardening, an exposed URL could let someone reuse an agent's auth cookie.
The template intentionally uses a bearer-style auth cookie in a URL as part of the browser-auth bridge. This is disclosed and purpose-aligned, but URLs can be captured in logs, browser history, analytics, or referrers if not carefully controlled.
agents pass the cookie value in the query string (e.g., `?myapp_cookie=XYZ`), and have the server set the cookie and redirect to a clean URL
Use HTTPS, make the URL token single-use and short-lived, redirect immediately, avoid logging query strings, set Secure/HttpOnly/SameSite cookie flags, and document the risk for developers.
If the database file is exposed or copied, persistent cookie values could be abused to impersonate an agent session.
The sample stores authentication cookie values linked to ATXP accounts in SQLite. This is expected for the skill's purpose, but the visible snippet does not show expiration, revocation, hashing, or storage protections.
CREATE TABLE IF NOT EXISTS auth_cookies ( cookie_value TEXT PRIMARY KEY, atxp_account TEXT NOT NULL, created_at DATETIME DEFAULT CURRENT_TIMESTAMP )
Add cookie expiration, revocation, rotation, least-privilege file permissions, and consider storing only hashed token values.
The generated project will depend on third-party packages that may change over time or introduce their own install-time/runtime risks.
The guide asks users to install external npm packages. This is user-directed and central to the developer template, but dependency provenance and version pinning are not shown in the artifact.
npm install @longrun/turtle @atxp/server @atxp/express better-sqlite3 express cors dotenv zod
Review package provenance, pin versions, commit a lockfile, and use normal npm audit/dependency review before deploying.