authaudit
v1.0.1Authentication & authorization pattern analyzer — finds missing auth checks, insecure sessions, broken access control, CSRF gaps, and token handling vulnerab...
⭐ 0· 47·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (auth/authz pattern analyzer) match the shipped files: patterns.sh contains regex checks, analyzer.sh runs local grep-based scans, dispatcher.sh provides a CLI, and license.sh gates Pro/Team features. Required binaries (git, bash, python3, jq) are reasonable for the shipped implementation.
Instruction Scope
SKILL.md and the scripts instruct the agent to run local scripts (dispatcher.sh → analyzer.sh → patterns.sh). Scanning is performed locally with grep/find and does not send code to external servers. The only external references are informational (product URL) and license prompts; there are no instructions to exfiltrate files or read unrelated secrets beyond the OpenClaw config file used to obtain the license key.
Install Mechanism
The only declared install action is to install the 'lefthook' git-hook manager via brew, which is coherent with the hooks functionality. No downloads from untrusted URLs or opaque extract actions are present. Scripts provide alternate guidance (npm global) but do not automatically fetch remote code.
Credentials
The skill declares a single primary credential (AUTHAUDIT_LICENSE_KEY) which is appropriate for tier gating. It also reads ~/.openclaw/openclaw.json to locate a stored apiKey (declared in metadata). license.sh optionally checks a CLAWHUB_JWT_SECRET env var (used only to verify license signatures) but that variable is not declared in requires.env; its use is optional and limited to local signature verification. Overall requested env/config access is proportionate, but note that reading ~/.openclaw/openclaw.json means the script will parse your OpenClaw config to locate its apiKey (it does not exfiltrate it).
Persistence & Privilege
always is false and the skill is user-invocable. The skill can install git hooks (lefthook) into a repository when the user runs 'authaudit hooks install' which will modify lefthook.yml and run lefthook install — this is expected for a hooks feature but is a change to the repo that the user should approve. The skill does not request permanent platform-level privileges or modify other skills.
Assessment
This skill appears to do what it says: a local, grep/regex-based auth/authz scanner that requires a license key. Before installing or running hooks: 1) Verify the license key source and avoid pasting keys from untrusted locations. 2) Back up ~/.openclaw/openclaw.json if you are concerned, since the skill will read it to find its apiKey. 3) Review the scripts (already bundled) if you plan to enable pre-commit/pre-push hooks — installing hooks will modify your repository's lefthook.yml and run lefthook. 4) If you do not want local signature verification to access any CLAWHUB_JWT_SECRET, do not set that env var; it is optional. 5) Run scans on a copy/isolated repo first if you want to validate behavior. Overall, nothing indicates exfiltration or unrelated credential access, but exercise normal caution with license keys and repo hook installation.scripts/patterns.sh:241
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.Like a lobster shell, security has layers — review code before you run it.
latestvk971bmar9zxz5h4g7bnp7m27rx84vea3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔐 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envAUTHAUDIT_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook