ClawHub

Pdauth

v1.0.0

Dynamic OAuth for AI agents via Pipedream. Generate OAuth links for 2500+ APIs, let users authorize, then call MCP tools on their behalf.

1· 1.7k·4 current·4 all-time
by@g9pedro
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (dynamic OAuth via Pipedream) match the declared required binary ('pdauth') and the install spec (npm package 'pdauth' that provides a pdauth CLI). The listed workflows (connect, status, call) are consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to generate OAuth links, ask the user to authorize, and then call tools via pdauth — all in-scope. It does not instruct reading unrelated system files or secrets. However, it explicitly tells operators to run 'pdauth config' to set up Pipedream credentials without describing what credentials are needed or where they're stored, leaving an important operational detail unspecified.
Install Mechanism
Install uses an npm package ('pdauth') that creates the 'pdauth' binary; this is expected for a CLI. npm packages can execute arbitrary install-time code, so this is a moderate-risk install mechanism but not unusual for a CLI tool.
!
Credentials
SKILL.md refers to configuring Pipedream credentials ('pdauth config') and to long-lived OAuth connections for many apps, yet the skill metadata declares no required env vars or primary credential. The lack of declared credentials/config-paths is an incoherence: the skill will need credentials (and will store tokens somewhere) but does not state this up front. Also, enabling OAuth for '2500+ APIs' means broad potential access once users authorize—this is powerful and should be explicitly justified and constrained.
Persistence & Privilege
The skill does not request 'always: true' and has no OS/config path requirements declared. That said, OAuth tokens obtained via the flow are likely to persist in Pipedream (or local pdauth config), allowing the agent to act on users' behalf across sessions. Autonomous invocation (allowed) combined with granted OAuth scopes increases blast radius, but autonomous invocation itself is the platform default.
What to consider before installing
This skill largely does what it says (generate OAuth links and call APIs via Pipedream), but you should proceed cautiously. Before installing: 1) Verify the npm package publisher and inspect the pdauth package source (or the GitHub repo) to ensure you trust its install-time behavior. 2) Ask the publisher which credentials 'pdauth config' requires, where those credentials/tokens are stored (local files vs. Pipedream account), and how to revoke them. 3) Limit OAuth scopes when authorizing and prefer short-lived or per-action consent. 4) Consider running the npm package in an isolated environment first (container or VM) and review its code. 5) If you need an explicit guarantee, request the skill metadata be updated to declare required env vars/config paths and a clear data-handling policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c1wtskb5p7gpjfpv8180dpd80hex1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔐 Clawdis
Binspdauth

Install

Install pdauth (node)
Bins: pdauth
npm i -g pdauth

Comments