ClawHub

authaudit

v1.0.1

Authentication & authorization pattern analyzer — finds missing auth checks, insecure sessions, broken access control, CSRF gaps, and token handling vulnerab...

0· 90·0 current·0 all-time
by@suhteevah

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for suhteevah/authaudit.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "authaudit" (suhteevah/authaudit) from ClawHub.
Skill page: https://clawhub.ai/suhteevah/authaudit
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, bash, python3, jq
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install authaudit

ClawHub CLI

Package manager switcher

npx clawhub@latest install authaudit
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (auth/authz pattern analyzer) match the shipped files: patterns.sh contains regex checks, analyzer.sh runs local grep-based scans, dispatcher.sh provides a CLI, and license.sh gates Pro/Team features. Required binaries (git, bash, python3, jq) are reasonable for the shipped implementation.
Instruction Scope
SKILL.md and the scripts instruct the agent to run local scripts (dispatcher.sh → analyzer.sh → patterns.sh). Scanning is performed locally with grep/find and does not send code to external servers. The only external references are informational (product URL) and license prompts; there are no instructions to exfiltrate files or read unrelated secrets beyond the OpenClaw config file used to obtain the license key.
Install Mechanism
The only declared install action is to install the 'lefthook' git-hook manager via brew, which is coherent with the hooks functionality. No downloads from untrusted URLs or opaque extract actions are present. Scripts provide alternate guidance (npm global) but do not automatically fetch remote code.
Credentials
The skill declares a single primary credential (AUTHAUDIT_LICENSE_KEY) which is appropriate for tier gating. It also reads ~/.openclaw/openclaw.json to locate a stored apiKey (declared in metadata). license.sh optionally checks a CLAWHUB_JWT_SECRET env var (used only to verify license signatures) but that variable is not declared in requires.env; its use is optional and limited to local signature verification. Overall requested env/config access is proportionate, but note that reading ~/.openclaw/openclaw.json means the script will parse your OpenClaw config to locate its apiKey (it does not exfiltrate it).
Persistence & Privilege
always is false and the skill is user-invocable. The skill can install git hooks (lefthook) into a repository when the user runs 'authaudit hooks install' which will modify lefthook.yml and run lefthook install — this is expected for a hooks feature but is a change to the repo that the user should approve. The skill does not request permanent platform-level privileges or modify other skills.
Assessment
This skill appears to do what it says: a local, grep/regex-based auth/authz scanner that requires a license key. Before installing or running hooks: 1) Verify the license key source and avoid pasting keys from untrusted locations. 2) Back up ~/.openclaw/openclaw.json if you are concerned, since the skill will read it to find its apiKey. 3) Review the scripts (already bundled) if you plan to enable pre-commit/pre-push hooks — installing hooks will modify your repository's lefthook.yml and run lefthook. 4) If you do not want local signature verification to access any CLAWHUB_JWT_SECRET, do not set that env var; it is optional. 5) Run scans on a copy/isolated repo first if you want to validate behavior. Overall, nothing indicates exfiltration or unrelated credential access, but exercise normal caution with license keys and repo hook installation.
scripts/patterns.sh:241
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔐 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envAUTHAUDIT_LICENSE_KEY

Install

Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook
latestvk971bmar9zxz5h4g7bnp7m27rx84vea3
90downloads
0stars
2versions
Updated 2w ago
v1.0.1
MIT-0
macOS, Linux, Windows
@suhteevah
latest
Download

AuthAudit -- Authentication & Authorization Pattern Analyzer

AuthAudit scans your codebase for authentication and authorization vulnerabilities including missing auth checks, insecure session handling, broken access control, CSRF gaps, token storage issues, and credential management weaknesses. It supports JavaScript/TypeScript, Python, Ruby, Go, Java, and PHP codebases. All scanning happens locally using regex-based pattern matching -- no code is sent to external servers.

Check Categories

AuthAudit organizes its 90 security patterns into 6 categories:

1. AC -- Authentication Checks (15 patterns)

Detects missing authentication middleware, unprotected routes, bypassed login checks, missing auth decorators, unauthenticated API endpoints, disabled authentication, anonymous access to sensitive resources, and missing multi-factor authentication enforcement.

2. SM -- Session Management (15 patterns)

Finds insecure session configuration, missing session expiry, absent session rotation on privilege changes, predictable session IDs, session fixation vulnerabilities, missing Secure/HttpOnly cookie flags, overly long session lifetimes, and sessions stored in insecure locations.

3. AZ -- Authorization/Access Control (15 patterns)

Identifies missing role checks, broken object-level authorization (BOLA), insecure direct object references (IDOR), missing permission verification, privilege escalation paths, hardcoded admin roles, missing function-level authorization, and horizontal access control bypasses.

4. TK -- Token Handling (15 patterns)

Catches JWT stored in localStorage, tokens transmitted in URL parameters, missing token expiry validation, absent token refresh rotation, weak signing algorithms (none/HS256 with secrets), token leakage in logs, missing audience/issuer validation, and insecure token generation.

5. CS -- CSRF Protection (15 patterns)

Detects missing CSRF tokens on state-changing endpoints, absent SameSite cookie flag, GET requests performing side effects, missing Origin/Referer validation, state-changing GET endpoints, disabled CSRF middleware, CORS misconfigurations enabling CSRF, and missing double-submit cookie patterns.

6. PW -- Password & Credential Management (15 patterns)

Finds weak password requirements, plaintext password comparison, missing bcrypt/argon2 hashing, absent rate limiting on login endpoints, passwords in query strings, hardcoded credentials, insecure password reset tokens, missing password complexity enforcement, and credential logging.

Severity Levels

Each finding is classified by severity:

SeverityWeightDescription
Critical25 pointsActive vulnerability that can be immediately exploited
High15 pointsSignificant security weakness requiring prompt attention
Medium8 pointsSecurity concern to address in upcoming sprints
Low3 pointsBest-practice improvement or informational finding

Scoring System

AuthAudit calculates a security score from 0 to 100:

  • Starting score: 100
  • Deductions: Each finding subtracts points based on severity weight
  • Scaling: Penalties are scaled relative to codebase size (more files = smaller per-issue impact)
  • Pass threshold: 70 (score >= 70 = pass, score < 70 = fail)

Grades

GradeScore RangeMeaning
A90 -- 100Excellent auth posture
B80 -- 89Good, minor improvements needed
C70 -- 79Acceptable, several issues to fix
D60 -- 69Below threshold, significant concerns
F0 -- 59Critical auth vulnerabilities present

Commands

Free Tier (No license required)

authaudit scan [file|directory]

One-shot authentication and authorization audit of source files.

How to execute:

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does:

  1. Accepts a file path or directory (defaults to current directory)
  2. Finds all source files (excluding .git/, node_modules/, dist/, build/, vendor/, pycache)
  3. Runs the first 30 auth/authz patterns against each file (free tier limit)
  4. Outputs findings with: file, line number, check ID, severity, description, recommendation
  5. Calculates a security score (0-100) with letter grade
  6. Free tier: limited to 30 of 90 patterns
  7. Exit code 0 if score >= 70, exit code 1 if score < 70

Example usage scenarios:

  • "Scan my code for auth vulnerabilities" -> runs authaudit scan .
  • "Check for missing authentication" -> runs authaudit scan src/
  • "Audit my session handling" -> runs authaudit scan .
  • "Find CSRF vulnerabilities" -> runs authaudit scan .
  • "Check token security" -> runs authaudit scan .

authaudit scan [file|directory] --category AC

Scan only a specific category.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --category AC

authaudit scan [file|directory] --format json

Output results in JSON format for CI/CD integration.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --format json

Pro Tier ($19/user/month -- requires AUTHAUDIT_LICENSE_KEY)

authaudit scan [file|directory] (60 patterns)

Full security audit with 60 patterns enabled (free + pro patterns).

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

What it does (beyond free):

  1. Runs 60 of 90 patterns (all free + pro-tier patterns)
  2. Includes advanced session management, token handling, and credential checks
  3. Detailed remediation advice per finding
  4. HTML report output support

authaudit hooks install

Install git pre-commit hooks that scan staged files for auth issues before every commit.

bash "<SKILL_DIR>/scripts/dispatcher.sh" hooks install

authaudit hooks uninstall

Remove AuthAudit git hooks.

bash "<SKILL_DIR>/scripts/dispatcher.sh" hooks uninstall

authaudit report [directory]

Generate a markdown security audit report.

bash "<SKILL_DIR>/scripts/dispatcher.sh" report [directory]

Team/Enterprise Tier ($39/user/month -- requires AUTHAUDIT_LICENSE_KEY with team tier)

authaudit scan [file|directory] (all 90 patterns)

Complete audit with all 90 patterns across all 6 categories.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target]

authaudit scan [file|directory] --format html

HTML report with interactive severity filtering.

bash "<SKILL_DIR>/scripts/dispatcher.sh" --path [target] --format html

Tier-Based Pattern Access

TierPatterns AvailableCategories
Free30 (first 5 per category)AC, SM, AZ, TK, CS, PW
Pro60 (first 10 per category)AC, SM, AZ, TK, CS, PW
Team90 (all patterns)AC, SM, AZ, TK, CS, PW
Enterprise90 (all patterns)AC, SM, AZ, TK, CS, PW

Output Formats

  • text (default) -- Human-readable terminal output with colors and severity icons
  • json -- Machine-readable JSON for CI/CD pipelines and tooling integration
  • html -- Self-contained HTML report with severity filtering (Team+)

Configuration

Users can configure AuthAudit in ~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "authaudit": {
        "enabled": true,
        "apiKey": "YOUR_LICENSE_KEY_HERE",
        "config": {
          "severityThreshold": "medium",
          "excludePatterns": ["**/node_modules/**", "**/dist/**", "**/.git/**"],
          "reportFormat": "text",
          "categories": ["AC", "SM", "AZ", "TK", "CS", "PW"]
        }
      }
    }
  }
}

Important Notes

  • Free tier works immediately with no configuration (30 patterns)
  • All scanning happens locally -- no code is sent to external servers
  • License validation is offline -- no phone-home or network calls
  • Supports JS/TS, Python, Ruby, Go, Java, and PHP codebases
  • Git hooks use lefthook which must be installed (see install metadata above)
  • Exit codes: 0 = pass (score >= 70), 1 = fail (score < 70 or critical issues)

Error Handling

  • If lefthook is not installed and user tries hooks install, prompt to install it
  • If license key is invalid or expired, show clear message with link to https://authaudit.dev/renew
  • If a file is binary, skip it automatically with no warning
  • If no source files found in target, report clean scan with info message
  • If an invalid category is specified, list valid categories and exit

When to Use AuthAudit

The user might say things like:

  • "Scan my code for authentication issues"
  • "Check if my routes have auth middleware"
  • "Find missing authorization checks"
  • "Audit my session handling"
  • "Check for CSRF vulnerabilities"
  • "Find insecure token storage"
  • "Check for hardcoded credentials"
  • "Audit my password handling"
  • "Find privilege escalation paths"
  • "Check for broken access control"
  • "Scan for insecure session configuration"
  • "Find JWT vulnerabilities in my code"
  • "Check my login flow for security issues"
  • "Audit auth patterns in my codebase"

Comments

Loading comments...