← Back to Skills Marketplace
luoqianchenguni-max

a2a-Market-Google-OAuth

by luoqianchenguni-max · GitHub ↗ · v0.2.0 · MIT-0
cross-platform ⚠ suspicious
243
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install a2a-market-google-oauth
Description
Handle Google OAuth login, account linking, and session bootstrap for A2A market users and operators. Use when implementing identity login endpoints, callbac...
README (SKILL.md)

\r \r

a2a-Market Google OAuth\r

\r Create a stable OAuth integration shell for buyer and merchant sign-in.\r \r Current status: publish-ready scaffold. Keep flows explicit and deterministic before full SSO hardening.\r \r

Scope\r

  • Implement Google OAuth authorization code flow.\r
  • Link external identity to internal Agent/Operator profile.\r
  • Bootstrap session token and refresh workflow after callback.\r \r

Suggested Project Layout\r

  • app/integrations/oauth/google_client.py\r
  • app/interfaces/api/auth_routes.py\r
  • app/application/services/session_service.py\r
  • app/protocol/identity/user_identity_mapper.py\r \r

Minimum Contracts (MVP P0)\r

  1. GET /auth/google/start builds state + redirect URL.\r
  2. GET /auth/google/callback validates state and exchanges code.\r
  3. upsert_identity(provider, provider_user_id, email) returns internal principal id.\r
  4. create_session(principal_id) returns short-lived access token and refresh token.\r \r

Security Baseline\r

  • Validate state and nonce against server-side cache.\r
  • Reject callback if issuer/audience do not match configuration.\r
  • Store only hashed refresh tokens and rotate on use.\r \r

Events\r

  • Emit login event to audit log stream.\r
  • Emit session-created event for WebSocket presence bootstrap.\r \r

Implementation Backlog\r

  • Add account merge flow for duplicate emails across providers.\r
  • Add step-up verification for risky sessions.\r \r

Runtime Implementation\r

  • Status: implemented in local runtime package.\r
  • Primary code paths:\r
  • runtime/src/integrations/oauth/google-oauth-service.js\r
  • Validation: covered by runtime/tests and npm test in runtime/.\r
Usage Guidance
This package reads like a scaffold/README rather than a runnable skill; it describes OAuth flows and references runtime code and tests that are not included. Before installing or using it: 1) ask the author for the source repository or homepage and for the actual runtime code mentioned in SKILL.md; 2) confirm which environment variables (Google client_id/client_secret, token storage creds, audit/event endpoints) the skill will need and where they will be stored; 3) require that secrets be kept out of skill package and provided explicitly via secure platform credential storage; 4) inspect any runtime code and tests for safe handling of tokens, nonce/state validation, and event emissions; 5) avoid granting the skill broad agent/system access until you can verify its implementation and the minimal set of credentials it actually needs. If the owner provides matching code and explicit env var declarations for only the expected OAuth items, the coherence concern can be resolved.
Capability Analysis
Type: OpenClaw Skill Name: a2a-market-google-oauth Version: 0.2.0 The skill bundle contains architectural instructions and metadata for implementing a standard Google OAuth 2.0 flow. The SKILL.md file outlines a secure implementation strategy, including state/nonce validation and token rotation, and does not contain any malicious commands, data exfiltration logic, or prompt injection attempts.
Capability Assessment
Purpose & Capability
The SKILL.md describes implementing Google OAuth (authorization code flow, token exchange, refresh tokens, session bootstrap). A legitimate OAuth integration requires provider credentials (client_id, client_secret), redirect URIs, storage for tokens, and configuration. The skill metadata declares no required environment variables, secrets, or config paths — that's inconsistent with the stated purpose.
Instruction Scope
Instructions are fairly specific about endpoints, state/nonce validation, hashing refresh tokens, and emitting audit and session events. They also claim a local runtime implementation and list primary code paths (runtime/src/... and npm test), but no code is packaged and no install steps are provided. Emitting audit/log and WebSocket events implies integration with infrastructure or credentials that are not declared.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. That minimizes on-disk install risk, but it also means the SKILL.md is the only behavioral surface — which heightens the importance of consistency between instructions and declared requirements.
Credentials
No environment variables or primary credential are declared, yet OAuth needs at minimum a Google client ID and client secret, plus likely storage/access creds for session/token storage and event/audit systems. The absence of declared secrets is disproportionate and unexplained.
Persistence & Privilege
always is false and there is no claim the skill will persistently modify agent/system settings. No evidence of elevated privileges or forced inclusion.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install a2a-market-google-oauth
  3. After installation, invoke the skill by name or use /a2a-market-google-oauth
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
sync runtime implementation and validation coverage
v0.1.0
initial scaffold for early registration
Metadata
Slug a2a-market-google-oauth
Version 0.2.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is a2a-Market-Google-OAuth?

Handle Google OAuth login, account linking, and session bootstrap for A2A market users and operators. Use when implementing identity login endpoints, callbac... It is an AI Agent Skill for Claude Code / OpenClaw, with 243 downloads so far.

How do I install a2a-Market-Google-OAuth?

Run "/install a2a-market-google-oauth" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is a2a-Market-Google-OAuth free?

Yes, a2a-Market-Google-OAuth is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does a2a-Market-Google-OAuth support?

a2a-Market-Google-OAuth is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created a2a-Market-Google-OAuth?

It is built and maintained by luoqianchenguni-max (@luoqianchenguni-max); the current version is v0.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments