{ "schemaVersion": "1.0", "item": { "slug": "auth", "name": "Auth", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/ivangdavila/auth", "canonicalUrl": "https://clawhub.ai/ivangdavila/auth", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/auth", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=auth", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "mfa.md", "middleware.md", "oauth.md", "passwords.md", "strategies.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "slug": "auth", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-29T03:06:32.265Z", "expiresAt": "2026-05-06T03:06:32.265Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=auth", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=auth", "contentDisposition": "attachment; filename=\"auth-1.3.0.zip\"", "redirectLocation": null, "bodySnippet": null, "slug": "auth" }, "scope": "item", "summary": "Item download looks usable.", "detail": "Yavira can redirect you to the upstream package for this item.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/auth" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/auth", "agentPageUrl": "https://openagent3.xyz/skills/auth/agent", "manifestUrl": "https://openagent3.xyz/skills/auth/agent.json", "briefUrl": "https://openagent3.xyz/skills/auth/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Documentation-Only Skill", "body": "This skill is a reference guide. It contains code examples that demonstrate authentication patterns.\n\nImportant: The code examples in this skill:\n\nAre templates for developers to adapt\nShow placeholder values (SECRET, API_KEY, etc.)\nReference external services as examples only\nAre NOT executed by the agent\n\nThe agent provides guidance. The developer implements in their own project." }, { "title": "When to Use", "body": "User needs guidance on implementing authentication. Agent explains patterns for login flows, token strategies, password security, OAuth integration, and session management." }, { "title": "Quick Reference", "body": "TopicFileSession vs JWT strategiesstrategies.mdPassword handlingpasswords.mdMFA implementationmfa.mdOAuth and social loginoauth.mdFramework middlewaremiddleware.md" }, { "title": "Scope", "body": "This skill ONLY:\n\nExplains authentication concepts\nShows code patterns as examples\nProvides best practice guidance\n\nThis skill NEVER:\n\nExecutes code\nMakes network requests\nAccesses credentials\nStores data\nReads environment variables" }, { "title": "Note on Code Examples", "body": "Code examples in auxiliary files show:\n\nEnvironment variables like process.env.JWT_SECRET - these are placeholders\nAPI calls to OAuth providers - these are reference patterns\nSecrets like SECRET, REFRESH_SECRET - these are example names\n\nThe agent does not have access to these values. They demonstrate what the developer should configure in their own project." }, { "title": "1. Auth vs Authorization", "body": "Authentication: Who you are (this skill)\nAuthorization: What you can do (different concern)\nAuth happens FIRST, then authorization checks permissions" }, { "title": "2. Choose the Right Strategy", "body": "Use CaseStrategyWhyTraditional web appSessions + cookiesSimple, instant revocationMobile appJWT (short-lived) + refresh tokenNo cookies, offline supportAPI/microservicesJWTStateless, scalableEnterpriseSSO (SAML/OIDC)Central identity managementConsumerSocial login + email fallbackReduced friction" }, { "title": "3. Never Roll Your Own Crypto", "body": "Use bcrypt (cost 12) or Argon2id for passwords\nUse battle-tested libraries for JWT, OAuth\nNever implement password hashing, token signing manually\nNever store plaintext or reversibly encrypted passwords" }, { "title": "4. Defense in Depth", "body": "Rate limiting -> CAPTCHA -> Account lockout -> MFA -> Audit logging" }, { "title": "5. Secure by Default", "body": "httpOnly + Secure + SameSite=Lax for cookies\nShort token lifetimes (15min access, 7d refresh)\nRegenerate session ID on login\nRequire re-auth for sensitive operations" }, { "title": "6. Fail Securely", "body": "// Bad - reveals if email exists\nif (!user) return { error: 'User not found' };\n\n// Good - same error for both cases\nif (!user || !validPassword) {\n return { error: 'Invalid credentials' };\n}" }, { "title": "7. Log Everything (Except Secrets)", "body": "LogDo Not LogLogin success/failurePasswordsIP, user agent, timestampTokensMFA eventsSession IDsPassword changesRecovery codes" }, { "title": "Common Traps", "body": "Storing passwords with MD5/SHA1 - use bcrypt or Argon2id\nJWT with long expiry (30d) - use short access + refresh token\nRevealing if email exists - use generic error message\nHard account lockout - enables denial of service\nSMS for MFA - vulnerable to SIM swapping\nNo rate limiting on login - enables brute force" }, { "title": "Feedback", "body": "If useful: clawhub star auth\nStay updated: clawhub sync" } ], "body": "Documentation-Only Skill\n\nThis skill is a reference guide. It contains code examples that demonstrate authentication patterns.\n\nImportant: The code examples in this skill:\n\nAre templates for developers to adapt\nShow placeholder values (SECRET, API_KEY, etc.)\nReference external services as examples only\nAre NOT executed by the agent\n\nThe agent provides guidance. The developer implements in their own project.\n\nWhen to Use\n\nUser needs guidance on implementing authentication. Agent explains patterns for login flows, token strategies, password security, OAuth integration, and session management.\n\nQuick Reference\nTopic\tFile\nSession vs JWT strategies\tstrategies.md\nPassword handling\tpasswords.md\nMFA implementation\tmfa.md\nOAuth and social login\toauth.md\nFramework middleware\tmiddleware.md\nScope\n\nThis skill ONLY:\n\nExplains authentication concepts\nShows code patterns as examples\nProvides best practice guidance\n\nThis skill NEVER:\n\nExecutes code\nMakes network requests\nAccesses credentials\nStores data\nReads environment variables\nNote on Code Examples\n\nCode examples in auxiliary files show:\n\nEnvironment variables like process.env.JWT_SECRET - these are placeholders\nAPI calls to OAuth providers - these are reference patterns\nSecrets like SECRET, REFRESH_SECRET - these are example names\n\nThe agent does not have access to these values. They demonstrate what the developer should configure in their own project.\n\nCore Rules\n1. Auth vs Authorization\nAuthentication: Who you are (this skill)\nAuthorization: What you can do (different concern)\nAuth happens FIRST, then authorization checks permissions\n2. Choose the Right Strategy\nUse Case\tStrategy\tWhy\nTraditional web app\tSessions + cookies\tSimple, instant revocation\nMobile app\tJWT (short-lived) + refresh token\tNo cookies, offline support\nAPI/microservices\tJWT\tStateless, scalable\nEnterprise\tSSO (SAML/OIDC)\tCentral identity management\nConsumer\tSocial login + email fallback\tReduced friction\n3. Never Roll Your Own Crypto\nUse bcrypt (cost 12) or Argon2id for passwords\nUse battle-tested libraries for JWT, OAuth\nNever implement password hashing, token signing manually\nNever store plaintext or reversibly encrypted passwords\n4. Defense in Depth\nRate limiting -> CAPTCHA -> Account lockout -> MFA -> Audit logging\n\n5. Secure by Default\nhttpOnly + Secure + SameSite=Lax for cookies\nShort token lifetimes (15min access, 7d refresh)\nRegenerate session ID on login\nRequire re-auth for sensitive operations\n6. Fail Securely\n// Bad - reveals if email exists\nif (!user) return { error: 'User not found' };\n\n// Good - same error for both cases\nif (!user || !validPassword) {\n return { error: 'Invalid credentials' };\n}\n\n7. Log Everything (Except Secrets)\nLog\tDo Not Log\nLogin success/failure\tPasswords\nIP, user agent, timestamp\tTokens\nMFA events\tSession IDs\nPassword changes\tRecovery codes\nCommon Traps\nStoring passwords with MD5/SHA1 - use bcrypt or Argon2id\nJWT with long expiry (30d) - use short access + refresh token\nRevealing if email exists - use generic error message\nHard account lockout - enables denial of service\nSMS for MFA - vulnerable to SIM swapping\nNo rate limiting on login - enables brute force\nFeedback\nIf useful: clawhub star auth\nStay updated: clawhub sync" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/ivangdavila/auth", "publisherUrl": "https://clawhub.ai/ivangdavila/auth", "owner": "ivangdavila", "version": "1.3.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/auth", "downloadUrl": "https://openagent3.xyz/downloads/auth", "agentUrl": "https://openagent3.xyz/skills/auth/agent", "manifestUrl": "https://openagent3.xyz/skills/auth/agent.json", "briefUrl": "https://openagent3.xyz/skills/auth/agent.md" } }