User Authentication System
v0.1.1Role-based access control for Greek accounting firms. Login, role hierarchy, per-client permissions, session management, audit logging.
⭐ 0· 607·0 current·0 all-time
byStems@satoshistackalotto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (RBAC for Greek accounting firms) align with the requested binaries (openclaw, jq, openssl) and the single env var OPENCLAW_DATA_DIR. Requiring openclaw and a data directory is expected. However, the SKILL.md claims credentials are stored with salted SHA-256 hashes while the included EVALS expectations explicitly require bcrypt hashing — this is an inconsistency between claimed behavior and test expectations and suggests either outdated/insecure crypto choices or a mismatch between documentation and implementation.
Instruction Scope
Instructions are local and file-based under $OPENCLAW_DATA_DIR/auth (no external endpoints), which is consistent with 'fully local' claims. However, the runtime instructions specify storing passwords as salted SHA-256 (fast hash) and using openssl to generate 'SHA-256 TOTP' without describing secure secret storage, iteration count, salt generation, or protection of TOTP secrets. These omissions are security-relevant: SHA‑256 is not an appropriate password KDF by modern standards (should use bcrypt/argon2/scrypt), and 2FA/TOTP secret handling is underspecified. The EVALS.json expectations explicitly call for bcrypt and 'never plaintext', which contradicts SKILL.md; that mismatch is a substantive scope/behavior inconsistency.
Install Mechanism
There is no install spec (instruction-only), so nothing will be downloaded or written beyond creating the data directory and running openclaw commands. This lowers install-time risk. The only package suggestion is using the system package manager to install jq and openssl if missing.
Credentials
Only OPENCLAW_DATA_DIR is required and is appropriate for a file-based auth system. No API keys, tokens, or unrelated credentials are requested. Small note: examples default OPENCLAW_DATA_DIR to /data which may be a privileged or shared location on some hosts—users should ensure the directory is set to a safe path with correct ownership and permissions.
Persistence & Privilege
always: false and no special privileges are requested. The skill does not request to persist itself or modify other skills. It only writes to its own $OPENCLAW_DATA_DIR subpaths per instructions.
What to consider before installing
This skill looks like it does what it says (a local RBAC/auth system) but contains cryptographic and documentation inconsistencies that matter for security. Before installing: 1) Do not accept SHA‑256 password hashing—require the author to use a modern password KDF (bcrypt, scrypt, or Argon2) with explicit parameters. 2) Ask for details on how salts and TOTP secrets are generated, stored, and protected (secrets should be encrypted at rest and access-limited). 3) Verify that audit logs don't leak credentials or tokens and that file permissions restrict access to the auth directory (chmod 700 is suggested, but confirm ownership). 4) Confirm the discrepancy between SKILL.md (SHA‑256) and the EVALS tests (bcrypt) is resolved — this could be a documentation error or an implementation bug. 5) Prefer a non-default OPENCLAW_DATA_DIR (avoid using a global /data if that is shared) and review the actual implementation source before trusting it with production accounts. If you cannot obtain satisfactory answers or the owner/repo provenance, treat this as unsafe to deploy for real user accounts.Like a lobster shell, security has layers — review code before you run it.
latestvk97056ptpy2k9n13acvzngb6s181k8dx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsjq, openssl, openclaw
EnvOPENCLAW_DATA_DIR