Azure Auth
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: azure-auth Version: 0.1.0 The skill bundle provides comprehensive documentation and code templates for implementing Microsoft Entra ID (Azure AD) authentication in React SPAs and Cloudflare Workers. All code and instructions adhere to standard security practices for authentication, including proper handling of environment variables, token validation, and error management. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts against the agent. The markdown files (SKILL.md, README.md, rules/azure-auth.md, references/aadsts-error-codes.md) are purely instructional and informative, guiding the agent and users on secure implementation and troubleshooting.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Applications built from this template can keep sign-in state across browser sessions and read basic Microsoft profile information.
The template persists MSAL auth state in browser storage/cookies and requests Microsoft profile/Graph User.Read scopes. This is expected for SSO, but it means the resulting app handles identity data and authentication state.
cacheLocation: "localStorage"; storeAuthStateInCookie: true; scopes: ["openid", "profile", "email", "User.Read"]
Use least-privilege scopes, consider sessionStorage if persistent browser login is not needed, and maintain strong XSS protections because browser storage can be exposed by frontend vulnerabilities.
If app code passes an unintended domain or user-controlled URL, an API bearer token could be sent to the wrong service.
The authenticated fetch helper attaches a bearer token to the caller-supplied URL. The examples use backend API paths, so this is purpose-aligned, but the caller must avoid untrusted or external URLs.
headers.set("Authorization", `Bearer ${token}`); return fetch(url, { ...options, headers });Restrict the helper to same-origin or allowlisted API base URLs, and do not pass user-controlled URLs into authenticated fetch calls.