Oauth Helper
v1.1.0Automate OAuth login flows with user confirmation via Telegram. Supports 7 providers: Google, Apple, Microsoft, GitHub, Discord, WeChat, QQ. Features: - Auto-detect available OAuth options on login pages - Ask user to choose via Telegram when multiple options exist - Confirm before authorizing - Handle account selection and consent pages automatically
⭐ 3· 2.6k·13 current·14 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes automating OAuth flows and confirming via Telegram, which is coherent with the name. However the skill declares no required credentials or config but repeatedly instructs the agent to send messages via Telegram and use a 'clawd' browser profile logged into providers. Those capabilities require credentials/access that are not declared (no TELEGRAM token, channel ID, or browser profile path), which is an inconsistency.
Instruction Scope
Runtime instructions tell the agent to scan arbitrary login pages for DOM selectors, extract target site info, take screenshots of QR codes, and transmit those items to a Telegram channel. While relevant to the stated task, these steps involve collecting and sending potentially sensitive data (page content, screenshots, redirect targets) to an external messaging channel — the SKILL.md does not limit or justify this data exfiltration, nor does it describe safeguards.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal installation risk because nothing is downloaded or written by the skill itself.
Credentials
The skill requests no environment variables or primary credential, yet its flows require access to Telegram (to send/receive messages) and to a logged-in browser profile. This mismatch (no declared TELEGRAM_TOKEN, CHANNEL_ID, or config path to the 'clawd' browser profile) is disproportionate and unclear — either the platform provides these implicitly (not documented) or the SKILL.md is incomplete/ambiguous.
Persistence & Privilege
The skill does not request always:true and has no install footprint, so it doesn't demand permanent inclusion. However, because it instructs automated browser actions and external messaging, autonomous invocation (disable-model-invocation: false) increases blast radius if the agent is permitted to run it without tight user confirmation. That combination with the other concerns warrants caution.
What to consider before installing
Key things to verify before installing/using this skill:
- Ask the publisher for source code or a homepage; this skill currently has 'unknown' source and no homepage.
- Confirm exactly how Telegram integration works: which env vars or tokens are required (TELEGRAM_BOT_TOKEN, CHAT_ID, etc.), and ensure tokens are provided only via secure platform secrets (not pasted into chat).
- Verify how the agent will access the 'clawd' browser profile (what path or credential) and whether that profile contains logged-in accounts you trust being used for OAuth.
- Understand what the skill will send to Telegram: screenshots of QR codes and login pages may contain sensitive info. Insist on limiting or redacting data where possible.
- Test with throwaway/dummy accounts first (not your primary Google/Microsoft/GitHub accounts) to confirm behavior and that no unwanted scopes/authorizations occur.
- Prefer skills that explicitly declare required env vars, permissions, and a verifiable source; if the publisher cannot provide those, do not grant access to real accounts.
If you are not comfortable providing access to a logged-in browser/profile or to a Telegram channel bot, do not enable this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk973r3110c0n0br8hkd7q4r8n5804mys
License
MIT-0
Free to use, modify, and redistribute. No attribution required.