WorkOS
v1.0.0Manage enterprise SSO, Directory Sync (SCIM), Admin Portal, and user management via WorkOS API. Use when asked to set up SSO for an organization, provision u...
⭐ 0· 72·1 current·1 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description, and runtime instructions consistently target the WorkOS API (SSO, SCIM, Admin Portal, user management). The requested API calls match the stated purpose.
Instruction Scope
SKILL.md contains concrete curl examples for WorkOS endpoints and only references API inputs (organization id, connection id, auth code, client id) and environment variables (WORKOS_API_KEY). It does not instruct the agent to read unrelated files or system paths. However, the instructions do require secrets (API key, client_id placeholders) that are not declared in the skill manifest.
Install Mechanism
No install spec and no code files — instruction-only skill. This minimizes disk-write/installation risk.
Credentials
SKILL.md explicitly requires WORKOS_API_KEY and uses WORKOS_CLIENT_ID in examples, but the registry metadata lists no required env vars and no primary credential. That mismatch is a red flag: the skill will expect/consume credentials at runtime even though none are declared. Requesting an API key for the target service is reasonable, but the manifest should list it. The skill could use any API key supplied by the agent or environment, so supply least-privilege credentials and confirm what's required.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request persistent system changes or to modify other skills. No elevated persistence requested.
Scan Findings in Context
[no-regex-findings] expected: The repository contained only an instruction file (SKILL.md), so the regex-based scanner had no code to analyze. This is expected for an instruction-only skill, but it means static scans offer little signal.
What to consider before installing
What to consider before installing:
- The SKILL.md needs a WORKOS_API_KEY (and shows a WORKOS_CLIENT_ID), but the skill metadata doesn't declare these — ask the publisher to update the manifest to list required env vars and the primary credential.
- Only provide a least-privilege WorkOS API key scoped to the operations you want (prefer a read-only key if you only need listings). Avoid giving full-admin keys unless necessary.
- Because this is an instruction-only skill, it will make outbound API calls using whichever WORKOS_API_KEY is available to the agent; monitor WorkOS audit logs for unexpected activity and rotate keys if you see misuse.
- Verify the skill source/owner before trusting it: there is no homepage and the owner ID is opaque. If you can't verify provenance, prefer testing in a non-production environment with test credentials.
- Recommend the publisher declare WORKOS_API_KEY (and WORKOS_CLIENT_ID if required) in the registry and indicate the minimal scopes required; that resolves the primary incoherence observed here.Like a lobster shell, security has layers — review code before you run it.
directoryenterprise-authlatestsamlscimssoworkos
WorkOS Skill
WorkOS REST API base: https://api.workos.com
Auth
curl -H "Authorization: Bearer $WORKOS_API_KEY" https://api.workos.com/...
Organizations
List Organizations
curl "https://api.workos.com/organizations?limit=10" \
-H "Authorization: Bearer $WORKOS_API_KEY"
Create Organization
curl -X POST "https://api.workos.com/organizations" \
-H "Authorization: Bearer $WORKOS_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "Acme Corp", "domains": [{"domain": "acme.com"}]}'
SSO
List SSO Connections
curl "https://api.workos.com/connections?organization_id=<org_id>" \
-H "Authorization: Bearer $WORKOS_API_KEY"
Get SSO Authorization URL
curl -X POST "https://api.workos.com/sso/authorize" \
-H "Authorization: Bearer $WORKOS_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"client_id": "<WORKOS_CLIENT_ID>",
"redirect_uri": "https://yourapp.com/auth/callback",
"connection": "<connection_id>",
"state": "<random_state>"
}'
Get Profile After SSO Callback
curl -X POST "https://api.workos.com/sso/token" \
-H "Authorization: Bearer $WORKOS_API_KEY" \
-H "Content-Type: application/json" \
-d '{"code": "<auth_code>", "client_id": "<WORKOS_CLIENT_ID>"}'
Directory Sync (SCIM)
List Directories
curl "https://api.workos.com/directories?organization_id=<org_id>" \
-H "Authorization: Bearer $WORKOS_API_KEY"
List Directory Users
curl "https://api.workos.com/directory_users?directory=<dir_id>&limit=25" \
-H "Authorization: Bearer $WORKOS_API_KEY"
List Directory Groups
curl "https://api.workos.com/directory_groups?directory=<dir_id>" \
-H "Authorization: Bearer $WORKOS_API_KEY"
Get Directory User
curl "https://api.workos.com/directory_users/<user_id>" \
-H "Authorization: Bearer $WORKOS_API_KEY"
Admin Portal
Generate Admin Portal Link
curl -X POST "https://api.workos.com/portal/generate_link" \
-H "Authorization: Bearer $WORKOS_API_KEY" \
-H "Content-Type: application/json" \
-d '{"intent": "sso", "organization": "<org_id>", "return_url": "https://yourapp.com/settings"}'
# Returns: { link: "https://..." } — share with customer's IT admin
intent options: sso, dsync, log_streams, audit_logs
User Management (WorkOS AuthKit)
List Users
curl "https://api.workos.com/user_management/users?limit=25" \
-H "Authorization: Bearer $WORKOS_API_KEY"
Get User
curl "https://api.workos.com/user_management/users/<user_id>" \
-H "Authorization: Bearer $WORKOS_API_KEY"
Delete User
curl -X DELETE "https://api.workos.com/user_management/users/<user_id>" \
-H "Authorization: Bearer $WORKOS_API_KEY"
Connection Types
OktaSAML, AzureSAML, GoogleSAML, OneLoginSAML, GenericSAML, ADFSSAML, PingFederateSAML, OktaOIDC, MicrosoftOIDC, GoogleOIDC
Comments
Loading comments...