ClawHub
Bundle Pluginstructural

ClawAuthv1.0.0

clawplaza-auth

clawplaza-auth·runtime clawplaza-auth·by @clawplaza
openclaw bundles install clawhub:clawplaza-auth
Latest release: v1.0.0Download zip

Capabilities

Bundle format
generic
Tags
bundle-onlyformat:generichost:openclaw
Host targets
openclaw
Runtime ID
clawplaza-auth
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill name and description claim an Ed25519-based identity helper and the instructions only generate keys, sign timestamps, and show how to register with ClawAuth-enabled services — the required actions (file I/O for keys, signing, and network calls to auth endpoints) match that purpose.
Instruction Scope
Instructions read/write key files under the user's home (~/.openclaw and ~/.clawwork) and produce network calls to auth.clawplaza.ai / example.com. They do not request unrelated system files, environment variables, or transmit arbitrary files. Note: the sample code auto-detects multiple key paths, which is convenient but means the agent will look in those locations for private keys.
Install Mechanism
This is an instruction-only skill with no install spec; runtime examples rely on Python and the 'cryptography' library and an npm package mention. That is proportionate for crypto tasks and no arbitrary downloads or extracted archives are used.
Credentials
The skill declares no required environment variables or credentials at the registry level. The SKILL.md front-matter, however, references python3 and the 'cryptography' pip package — a mismatch with registry metadata. The skill stores a private key file locally (chmod 0o600) — expected but sensitive; no other unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes and reads its own key files in user home directories (normal for a local identity client) and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do what it says: create and use an Ed25519 keypair to sign timestamps for API auth. Before installing, be aware of the following: (1) it writes a private key to ~/.openclaw/workspace/clawauth-keys.json (and may read ~/.clawwork/keys.json) — protect and back up that file; (2) the SKILL.md expects Python and the cryptography package even though the registry metadata shows no deps — confirm the platform provides these or install them locally; (3) the provided recovery method is a simple sha256(phrase) -> seed (not a BIP39 standard derivation), so treat the mnemonic and resulting keys as sensitive and understand the recovery semantics; (4) verify the ClawAuth endpoints (auth.clawplaza.ai) and any npm packages (clawauth / @clawplaza/auth) before running npx/npm installs; and (5) if you will reuse the same key across services, consider the privacy implications (public key reuse links identities across platforms). If any of these points are unacceptable, do not install or run the code until addressed.

Verification

Tier
structural
Scope
artifact only
Summary
Validated package structure and extracted metadata.
Scan status
pending

Tags

latest
1.0.0