ClawHub

Headless OAuth

v1.3.1

Authorize any OAuth CLI on a headless server where the agent and the user are on separate machines. Use when a CLI tool requires OAuth login on a VPS or serv...

1· 56·0 current·0 all-time
byIgor Ivanter@igorivanter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the SKILL.md content. All required actions (asking the user to open URLs, copying redirect URLs or device codes, relaying callbacks to localhost, and advising about keyrings) are directly relevant to headless OAuth and no unrelated credentials, binaries, or services are requested.
Instruction Scope
The instructions explicitly require the user to paste full redirect URLs or codes (which contain sensitive authorization codes) and tell the agent to forward those to the server via curl to localhost. This is expected for the workflow, but it means the agent will handle sensitive tokens/codes during the flow — users should be aware these values are secret and transient. The skill does not instruct the agent to read unrelated files or exfiltrate data to external hosts.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is written to disk or fetched at install time, which minimizes installation risk.
Credentials
The skill requests no environment variables or credentials, which is proportional. It does advise storing tokens locally (as any OAuth flow does) and warns about keyring unlocking. Users should avoid persisting secrets in shell configs and prefer ephemeral injection from a secrets manager.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not modify other skills or system-wide settings. Autonomous invocation is allowed by platform default but not by this skill's configuration alone.
Assessment
This skill is a focused recipe for completing OAuth when the server is headless and the user has the browser. It legitimately asks the user to paste redirect URLs or device codes (these are sensitive authorization values). Before installing or using it: (1) Confirm you trust the agent/host — the agent will see short-lived auth codes and may store tokens on the server. (2) Prefer device flow where possible (no redirect URLs to copy). (3) Ensure the agent only forwards the copied URL to the server's localhost as described and not to any external endpoint. (4) Avoid persisting keyring passwords or tokens in shell startup files; use ephemeral secrets or a secrets manager for the auth step. The skill itself contains no hidden installs or unrelated credential requests and appears coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97asnss7y1qzgbxnkf1z9cazs84734y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis

Comments