ClawHub

OCMAP Pairing Auth

v1.1.0

Implement one-time pairing-code authentication between an OpenClaw gateway and a desktop or remote client such as OCMAP. Use when adding or updating pairing....

0· 137·0 current·0 all-time
by@maverick-software
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided SKILL.md and reference docs. The skill does not request unrelated binaries, credentials, or config paths and only describes protocol/implementation guidance appropriate to pairing auth.
Instruction Scope
The instructions are narrowly scoped to generating short-lived pairing codes, minting bootstrap auth, enforcing a connect-first handshake, validating signed device proofs, persisting trust in backend storage, and revocation. They do not instruct reading unrelated files, exfiltrating secrets, or contacting external endpoints beyond the implied gateway APIs.
Install Mechanism
No install spec or code is included (instruction-only). Nothing will be written to disk or downloaded by the skill itself, which keeps install risk minimal.
Credentials
The skill declares no required environment variables or credentials. It references short-lived bootstrap tokens and trusted-device tokens as part of the protocol, which is consistent and proportionate to the pairing functionality.
Persistence & Privilege
The skill is not marked always:true, does not request persistent system-wide privileges, and does not instruct changing other skills' configs. It recommends storing trusted tokens in backend/main process storage, which is an appropriate architectural guideline.
Assessment
This is a documentation/design-only skill that appears internally consistent. Before implementing or shipping code based on these docs: (1) confirm the skill source and trustworthiness if you obtained it externally; (2) enforce the short TTLs and single-use semantics for codes/bootstrap tokens; (3) ensure bootstrap tokens are short-lived and limited in scope, and that long-lived trusted-device tokens are stored only in backend/main process secure storage (OS keychain or encrypted app storage) and never exposed to UI renderers or logs; (4) add rate limiting, atomic marking of used codes, and feature-flag gating as suggested; and (5) run the recommended test matrix to verify there is no accidental token leakage or handshake bypass. If you plan to install code (not present here), review that code for network endpoints, storage locations, and any unexpected credential usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cgt5czgb6a250apkbyqd1xh83225k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments