ClawHub

Perpetua

v1.0.0

OAuth proxy for calling external APIs (Oura, Google Calendar, etc.) via Perpetua.sh hosted API using a single API key. Use when fetching Oura data, Google Ca...

0· 401·0 current·0 all-time
byDaniel Killenberger@danielkillenberger
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (an OAuth proxy to call Oura, Google Calendar, etc.) aligns with the runtime instructions that call https://www.perpetua.sh. However the skill metadata declares no required environment variables or primary credential while the SKILL.md explicitly requires a PERPETUA_API_KEY. That mismatch (missing declared credential and provenance) is a coherence issue.
!
Instruction Scope
The SKILL.md instructs the agent to send requests to the external Perpetua.sh API using Authorization: Bearer $PERPETUA_API_KEY and shows curl examples for Oura and Google Calendar. Those actions are consistent with an OAuth proxy, but the instructions also mention loading secrets from $HOME/.openclaw/secrets.env and include an informal troubleshooting note to 'notify Daniel' (a single maintainer hint). The instructions therefore depend on a secret and an external hosted service that will receive users' OAuth-proxied data — this is outside the agent's local environment and requires explicit user trust and metadata transparency.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes on-disk execution risk because nothing is downloaded or installed by the skill itself.
!
Credentials
The runtime clearly requires PERPETUA_API_KEY (Authorization header) but the skill metadata lists no required env vars or primary credential. Requesting an API key that grants access to OAuth-backed personal data (calendar, health metrics) is a high-sensitivity permission and should be declared explicitly and justified. The absence of declared credentials and the unknown publisher/homepage increase the proportionality concern.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is user-invocable only. Autonomous invocation is allowed (default) — normal for skills — but there is no indication of elevated system persistence or privilege requests.
What to consider before installing
This skill will make HTTP requests to the external host https://www.perpetua.sh and requires you to provide a PERPETUA_API_KEY that lets the service access your Google Calendar, Oura data, and any connected providers. Before installing or using it: (1) Verify the Perpetua.sh service and publisher (there is no homepage and the owner is unknown); (2) Do not paste long-lived high-privilege credentials unless you trust the service — prefer a key with minimal scopes and easy rotation; (3) Consider hosting the OSS/local option (localhost:3001) if you want to avoid sending data to a third-party; (4) Ask the publisher to update the skill metadata to explicitly declare PERPETUA_API_KEY and provide documentation/privacy policy; (5) If you allow autonomous agent invocation, be aware the agent could call the proxy and fetch personal calendar/health data without repeated explicit prompts. If you cannot verify the service or publisher, treat this skill as high-risk and avoid providing secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk974z1j94r3q7kpbjwzwx8jsrn81r3ra

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔑 Clawdis

Comments