{ "schemaVersion": "1.0", "item": { "slug": "clawauth", "name": "User-Delegated OAuth API Access", "source": "tencent", "type": "skill", "category": "开发工具", "sourceUrl": "https://clawhub.ai/h4gen/clawauth", "canonicalUrl": "https://clawhub.ai/h4gen/clawauth", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/clawauth", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=clawauth", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "references/commands.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-05-07T17:22:31.273Z", "expiresAt": "2026-05-14T17:22:31.273Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=afrexai-annual-report", "contentDisposition": "attachment; filename=\"afrexai-annual-report-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/clawauth" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/clawauth", "agentPageUrl": "https://openagent3.xyz/skills/clawauth/agent", "manifestUrl": "https://openagent3.xyz/skills/clawauth/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawauth/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Clawauth OAuth Skill", "body": "This skill gives agents a production-safe OAuth handover flow that is async by default and works across chat/session interruptions.\n\nUse this when the agent needs provider credentials from a human user, but must avoid blocking execution and must avoid long-lived token storage on a third-party auth SaaS." }, { "title": "Why this exists", "body": "Most \"OAuth gateway\" patterns keep user refresh tokens in a central hosted database. clawauth avoids that model:\n\nHosted edge service mints short-lived auth sessions.\nUser authorizes directly with the provider.\nToken response is encrypted end-to-end to the requesting CLI session.\nCLI claims once and stores token locally in system keychain.\nServer-side session is ephemeral and deleted on claim/expiry.\n\nResult: async UX for agents, minimal operator overhead, and no permanent central token vault by design." }, { "title": "Runtime prerequisite", "body": "clawauth must already be preinstalled in the trusted runtime image/environment by the operator.\nThis skill does not instruct dynamic package installation.\n\nOpenClaw can detect this requirement from frontmatter metadata:\n\nmetadata.openclaw.requires.bins: [\"clawauth\"] gates eligibility.\nmetadata.openclaw.install can expose an operator-approved install action in OpenClaw UI/Gateway flows." }, { "title": "How installation is documented and triggered", "body": "Installation intent is declared in frontmatter, not in free-form shell instructions.\nThis skill declares a Node installer in metadata.openclaw.install for package clawauth.\nOpenClaw/Gateway uses that metadata to offer a managed install action when clawauth is missing.\nIf multiple installer options are present, Gateway selects a preferred one (OpenClaw docs: brew preferred when available, otherwise node manager policy).\nFor this skill we publish a single Node installer path to keep behavior deterministic across hosts.\nReference: https://docs.openclaw.ai/tools/skills\nReference: https://docs.openclaw.ai/platforms/mac/skills\nSource code (review before install): https://github.com/claw-auth/clawauth" }, { "title": "Manual install (operator fallback)", "body": "If OpenClaw/Gateway does not run the install action automatically, install the CLI manually:\n\nnpm i -g clawauth\n\nThen verify:\n\nclawauth --help\nopenclaw skills check --json" }, { "title": "Install policy (recommended)", "body": "Pre-install clawauth in the base image/runner and disable ad-hoc package fetches.\nPin and approve the CLI version in operator-managed tooling policy.\nKeep package source/provenance controls outside this skill (CI image build or internal artifact policy)." }, { "title": "Hosted service endpoint", "body": "The published CLI is already wired to:\n\nhttps://auth.clawauth.app\n\nAgents do not need CLAWAUTH_WORKER_URL for normal hosted usage." }, { "title": "Provider support", "body": "Implemented providers in current worker:\n\nnotion\ngithub\ndiscord\nlinear\nairtable\ntodoist\nasana\ntrello\ndropbox\ndigitalocean\nslack\ngitlab\nreddit\nfigma\nspotify\nbitbucket\nbox\ncalendly\nfathom\ntwitch\n\nAlways treat server output as source of truth:\n\nclawauth providers --json" }, { "title": "Canonical async flow (non-blocking)", "body": "Start auth and return immediately:\n\nclawauth login start --json\n\nExtract and forward shortAuthUrl to the user.\n\n\nContinue other work. Do not block.\n\n\nLater poll/check:\n\nclawauth login status --json\n\nWhen status is completed, claim once:\n\nclawauth login claim --json\n\nClaim completion and hand off control to the operator-defined API call layer.\nThis skill intentionally avoids instructing raw token materialization commands." }, { "title": "Token exposure boundaries", "body": "login claim may return sensitive token payload data in JSON output.\nDo not paste sensitive command output to chat, logs, traces, or telemetry.\nDo not materialize tokens into shell environments from this skill.\nUse operator-controlled secret handling for downstream provider API calls." }, { "title": "Login lifecycle", "body": "clawauth login start [provider] [--ttl ] [--scope ] [--json]\nclawauth login status [--json]\nclawauth login claim [--json]\nclawauth login wait [--timeout ] [--interval ] [--json]" }, { "title": "Session management", "body": "clawauth sessions [--json]\nclawauth session-rm [--json]" }, { "title": "Token access", "body": "clawauth token list [--json]" }, { "title": "Discovery and docs", "body": "clawauth providers [--json]\nclawauth explain\nclawauth docs" }, { "title": "login start --json", "body": "provider\nsessionId\nexpiresIn\nshortAuthUrl\nauthUrl\nstatusCommand\nclaimCommand" }, { "title": "login status --json", "body": "status (pending | completed | error)\nprovider\nerror" }, { "title": "login claim --json", "body": "status (pending | completed | error)\nprovider\ntokenData\nstoredInKeychain\nkeychainService\nkeychainAccount" }, { "title": "Agent behavior rules", "body": "Prefer --json for machine parsing.\nNever block by default; only use login wait when explicitly needed.\nOn pending: schedule retry later.\nOn completed: run login claim once.\nOn error: surface concise reason and restart with new login start.\nIf session context is lost, recover using clawauth sessions --json.\nIf provider unknown, run clawauth providers --json and choose supported value.\nNever print raw tokens into user-facing chat.\nDo not run package install/fetch commands from this skill.\nDo not export tokens into shell environment variables from this skill." }, { "title": "Security model summary", "body": "Short-lived session data in Cloudflare KV (default TTL: 3600s, configurable).\nSigned OAuth state binding provider and expiry.\nSigned request verification for status/claim with timestamp + nonce.\nReplay and rate-limit protections during polling.\nEnd-to-end encrypted token blob (nacl.box) from callback to CLI claimant.\nSession blob removed from server on successful claim.\nTokens stored locally in OS keychain via CLI." }, { "title": "Failure handling", "body": "Provider not implemented:\n\nlogin start returns error indicating feature request recorded.\n\nProvider misconfigured on backend:\n\nserver returns clear missing secret/config message.\n\nSession expired:\n\nstatus/claim returns not found/expired; start new session.\n\nLost chat context:\n\nrun clawauth sessions --json, then continue with status/claim.\n\nNo token found later:\n\nrun clawauth token list --json and select provider/account explicitly." }, { "title": "Minimal end-to-end example", "body": "# 1) Start\nclawauth login start notion --json\n\n# 2) Share shortAuthUrl with user (from JSON output)\n\n# 3) Later check\nclawauth login status --json\n\n# 4) Claim when completed\nclawauth login claim --json\n\n# 5) Continue with operator-defined downstream API handling" }, { "title": "Reference", "body": "See references/commands.md for compact copy-paste command blocks." } ], "body": "Clawauth OAuth Skill\n\nThis skill gives agents a production-safe OAuth handover flow that is async by default and works across chat/session interruptions.\n\nUse this when the agent needs provider credentials from a human user, but must avoid blocking execution and must avoid long-lived token storage on a third-party auth SaaS.\n\nWhy this exists\n\nMost \"OAuth gateway\" patterns keep user refresh tokens in a central hosted database. clawauth avoids that model:\n\nHosted edge service mints short-lived auth sessions.\nUser authorizes directly with the provider.\nToken response is encrypted end-to-end to the requesting CLI session.\nCLI claims once and stores token locally in system keychain.\nServer-side session is ephemeral and deleted on claim/expiry.\n\nResult: async UX for agents, minimal operator overhead, and no permanent central token vault by design.\n\nRuntime prerequisite\n\nclawauth must already be preinstalled in the trusted runtime image/environment by the operator. This skill does not instruct dynamic package installation.\n\nOpenClaw can detect this requirement from frontmatter metadata:\n\nmetadata.openclaw.requires.bins: [\"clawauth\"] gates eligibility.\nmetadata.openclaw.install can expose an operator-approved install action in OpenClaw UI/Gateway flows.\nHow installation is documented and triggered\nInstallation intent is declared in frontmatter, not in free-form shell instructions.\nThis skill declares a Node installer in metadata.openclaw.install for package clawauth.\nOpenClaw/Gateway uses that metadata to offer a managed install action when clawauth is missing.\nIf multiple installer options are present, Gateway selects a preferred one (OpenClaw docs: brew preferred when available, otherwise node manager policy).\nFor this skill we publish a single Node installer path to keep behavior deterministic across hosts.\nReference: https://docs.openclaw.ai/tools/skills\nReference: https://docs.openclaw.ai/platforms/mac/skills\nSource code (review before install): https://github.com/claw-auth/clawauth\nManual install (operator fallback)\n\nIf OpenClaw/Gateway does not run the install action automatically, install the CLI manually:\n\nnpm i -g clawauth\n\n\nThen verify:\n\nclawauth --help\nopenclaw skills check --json\n\nInstall policy (recommended)\nPre-install clawauth in the base image/runner and disable ad-hoc package fetches.\nPin and approve the CLI version in operator-managed tooling policy.\nKeep package source/provenance controls outside this skill (CI image build or internal artifact policy).\nHosted service endpoint\n\nThe published CLI is already wired to:\n\nhttps://auth.clawauth.app\n\nAgents do not need CLAWAUTH_WORKER_URL for normal hosted usage.\n\nProvider support\n\nImplemented providers in current worker:\n\nnotion\ngithub\ndiscord\nlinear\nairtable\ntodoist\nasana\ntrello\ndropbox\ndigitalocean\nslack\ngitlab\nreddit\nfigma\nspotify\nbitbucket\nbox\ncalendly\nfathom\ntwitch\n\nAlways treat server output as source of truth:\n\nclawauth providers --json\n\nCanonical async flow (non-blocking)\nStart auth and return immediately:\nclawauth login start --json\n\n\nExtract and forward shortAuthUrl to the user.\n\nContinue other work. Do not block.\n\nLater poll/check:\n\nclawauth login status --json\n\nWhen status is completed, claim once:\nclawauth login claim --json\n\nClaim completion and hand off control to the operator-defined API call layer. This skill intentionally avoids instructing raw token materialization commands.\nToken exposure boundaries\nlogin claim may return sensitive token payload data in JSON output.\nDo not paste sensitive command output to chat, logs, traces, or telemetry.\nDo not materialize tokens into shell environments from this skill.\nUse operator-controlled secret handling for downstream provider API calls.\nCommand map\nLogin lifecycle\nclawauth login start [provider] [--ttl ] [--scope ] [--json]\nclawauth login status [--json]\nclawauth login claim [--json]\nclawauth login wait [--timeout ] [--interval ] [--json]\nSession management\nclawauth sessions [--json]\nclawauth session-rm [--json]\nToken access\nclawauth token list [--json]\nDiscovery and docs\nclawauth providers [--json]\nclawauth explain\nclawauth docs\nJSON fields agents should parse\nlogin start --json\nprovider\nsessionId\nexpiresIn\nshortAuthUrl\nauthUrl\nstatusCommand\nclaimCommand\nlogin status --json\nstatus (pending | completed | error)\nprovider\nerror\nlogin claim --json\nstatus (pending | completed | error)\nprovider\ntokenData\nstoredInKeychain\nkeychainService\nkeychainAccount\nAgent behavior rules\nPrefer --json for machine parsing.\nNever block by default; only use login wait when explicitly needed.\nOn pending: schedule retry later.\nOn completed: run login claim once.\nOn error: surface concise reason and restart with new login start.\nIf session context is lost, recover using clawauth sessions --json.\nIf provider unknown, run clawauth providers --json and choose supported value.\nNever print raw tokens into user-facing chat.\nDo not run package install/fetch commands from this skill.\nDo not export tokens into shell environment variables from this skill.\nSecurity model summary\nShort-lived session data in Cloudflare KV (default TTL: 3600s, configurable).\nSigned OAuth state binding provider and expiry.\nSigned request verification for status/claim with timestamp + nonce.\nReplay and rate-limit protections during polling.\nEnd-to-end encrypted token blob (nacl.box) from callback to CLI claimant.\nSession blob removed from server on successful claim.\nTokens stored locally in OS keychain via CLI.\nFailure handling\n\nProvider not implemented:\n\nlogin start returns error indicating feature request recorded.\n\nProvider misconfigured on backend:\n\nserver returns clear missing secret/config message.\n\nSession expired:\n\nstatus/claim returns not found/expired; start new session.\n\nLost chat context:\n\nrun clawauth sessions --json, then continue with status/claim.\n\nNo token found later:\n\nrun clawauth token list --json and select provider/account explicitly.\nMinimal end-to-end example\n# 1) Start\nclawauth login start notion --json\n\n# 2) Share shortAuthUrl with user (from JSON output)\n\n# 3) Later check\nclawauth login status --json\n\n# 4) Claim when completed\nclawauth login claim --json\n\n# 5) Continue with operator-defined downstream API handling\n\nReference\n\nSee references/commands.md for compact copy-paste command blocks." }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/h4gen/clawauth", "publisherUrl": "https://clawhub.ai/h4gen/clawauth", "owner": "h4gen", "version": "1.0.6", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/clawauth", "downloadUrl": "https://openagent3.xyz/downloads/clawauth", "agentUrl": "https://openagent3.xyz/skills/clawauth/agent", "manifestUrl": "https://openagent3.xyz/skills/clawauth/agent.json", "briefUrl": "https://openagent3.xyz/skills/clawauth/agent.md" } }