← Back to Skills Marketplace
Scalekit Agent Auth
by
Avinash Kamath
· GitHub ↗
· v2.4.2
· MIT-0
1478
Downloads
5
Stars
0
Active Installs
10
Versions
Install in OpenClaw
/install scalekit-agent-auth
Description
Use this skill whenever the user asks for information from, or wants to take an action in, a third-party tool or service. This includes — but is not limited...
Usage Guidance
This skill appears to do what it says: it needs a Scalekit client id/secret and environment URL to discover and run connected tools. Before installing, verify the Scalekit environment and repository source (https://github.com/scalekit-inc/openclaw-skill) are trusted; keep TOOL_CLIENT_SECRET secret and scoped to least privilege; consider using a dedicated API client for agents rather than high-privilege credentials; confirm what the 'uv' CLI is in your environment (it's used to run/install the tool); and avoid sharing these env vars with untrusted agents or services. If you plan to allow autonomous agent actions, be aware the agent could call Scalekit APIs using these credentials — rotate them and restrict scopes if you later remove the skill.
Capability Analysis
Type: OpenClaw Skill
Name: scalekit-agent-auth
Version: 2.4.2
The skill bundle is classified as suspicious primarily due to the inclusion of the `--get-authorization` command in `tool_exec.py`, which explicitly retrieves and prints raw OAuth access and refresh tokens. While `SKILL.md` contains instructions advising the agent to avoid this command, its presence in a tool designed for AI-driven execution creates a high risk of credential exfiltration via prompt injection. Additionally, the `--proxy-request` feature allows for arbitrary HTTP requests to connected third-party services (e.g., Notion, Slack), which provides a powerful mechanism for unauthorized data access if the agent's logic is subverted.
Capability Assessment
Purpose & Capability
Name/description, SKILL.md instructions, and included code (tool_exec.py) all align: the skill discovers connections, generates auth links, and executes proxied tools via Scalekit. The required env vars (TOOL_CLIENT_ID, TOOL_CLIENT_SECRET, TOOL_ENV_URL, TOOL_IDENTIFIER) are appropriate for a Scalekit client.
Instruction Scope
The SKILL.md steps are narrowly scoped to listing connections, generating auth links, fetching tool schemas, executing tools, and proxy fallback. It references .env for Scalekit credentials and instructs presenting authorization links to the user. There are no instructions to read unrelated system files or exfiltrate data to external endpoints outside the configured Scalekit environment.
Install Mechanism
No remote downloads or archives; dependency installation is delegated to the 'uv sync' command documented in SKILL.md. That is a moderate-risk but standard approach for Python-based CLI tools. The only unusual required binary is 'uv' (used to run/sync), which is referenced in the instructions and install metadata.
Credentials
All required environment variables correspond to a Scalekit API client and an optional identifier. The skill does not request unrelated credentials or broad system secrets. TOOL_CLIENT_SECRET is necessary for OAuth flows and is the expected sensitive item.
Persistence & Privilege
The skill does not request persistent platform-level privileges (always is false). It does not require any system config paths or to modify other skills. Autonomous invocation is enabled (default) but that is normal for skills and not by itself a red flag.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install scalekit-agent-auth - After installation, invoke the skill by name or use
/scalekit-agent-auth - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.4.2
- Updated dependencies in pyproject.toml for improved compatibility.
- Minor metadata or configuration changes in _meta.json.
- No changes to usage or functionality documented in SKILL.md.
v2.4.1
- Improved connection discovery: now only considers connections with status "COMPLETED" and ignores drafts or pending setups.
- Adds explicit guidance if no completed connection exists, including instructions for users on completing setup in the Scalekit Dashboard.
- Enhanced user messaging when incomplete or no connections are found.
- No code or functional changes beyond updating execution documentation for higher connection validity and reliability.
v2.4.0
**Summary:** Major cleanup and restructuring of skill source files, with streamlined documentation and removal of old directories.
- Consolidated and updated documentation in SKILL.md for clarity and accuracy.
- Removed legacy implementation files, old subdirectories, and test cases no longer referenced (9 files removed).
- Incorporated new `_meta.json` for streamlined skill configuration.
- Updated main execution and interface logic in tool_exec.py and SKILL.md.
- Simplified project structure by eliminating the nested `skills/scalekit-agent-auth` directory.
v2.3.0
Add debug logging (TOOL_DEBUG), fix connection listing to return all connections, update SKILL.md with COMPLETED-only connection rule and Notion file upload/download guide
v2.2.0
feat: mandatory schema fetch before tool execution; fix JSON output for SDK response objects; add LinkedIn→HarvestAPI provider mapping
v2.1.0
feat: add LinkedIn provider mapping to HarvestAPI; add provider mapping table and LinkedIn example in SKILL.md
v2.0.2
No user-facing changes in this release.
- Version bump to 2.0.2 with no changes to files or documentation.
v2.0.1
Fix: declare required env vars in metadata; remove interactive input() prompts for non-interactive safety
v2.0.0
**Major refactor and expansion of capability: general-purpose tool execution and multi-auth support**
- Replaced narrow OAuth-only design with a comprehensive tool discovery and execution framework for any provider/service via Scalekit Connect.
- Unified support for OAuth and non-OAuth (API Key, Bearer, Basic auth) connections, handling dynamic discovery and authorization.
- Added `tool_exec.py` script for listing connections, generating auth links, viewing/running tools, and proxying custom API requests.
- Updated installation and environment variable requirements; now uses uv for dependency management.
- Overhauled documentation to guide users on full tool execution workflow, including fallback behavior and error handling.
- Removed legacy scripts and helper modules tied to single-service token logic.
v1.0.0
- Initial release of scalekit-auth skill for secure OAuth token management via Scalekit.
- Centralizes OAuth token storage, refresh, and retrieval for services like Gmail, Slack, GitHub, and more.
- No local token storage; tokens are always fetched from Scalekit.
- Includes setup instructions, multi-service support, and both Python and CLI usage examples.
- Provides error handling and security best practices for managing credentials and tokens.
Metadata
Frequently Asked Questions
What is Scalekit Agent Auth?
Use this skill whenever the user asks for information from, or wants to take an action in, a third-party tool or service. This includes — but is not limited... It is an AI Agent Skill for Claude Code / OpenClaw, with 1478 downloads so far.
How do I install Scalekit Agent Auth?
Run "/install scalekit-agent-auth" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Scalekit Agent Auth free?
Yes, Scalekit Agent Auth is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Scalekit Agent Auth support?
Scalekit Agent Auth is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Scalekit Agent Auth?
It is built and maintained by Avinash Kamath (@avinash-kamath); the current version is v2.4.2.
More Skills