← Back to Skills Marketplace
Web Service Onboarding
by
Nissan Dookeran
· GitHub ↗
· v1.0.2
· MIT-0
114
Downloads
0
Stars
1
Active Installs
3
Versions
Install in OpenClaw
/install web-service-onboarding
Description
Autonomous signup for external web services — browser automation, email verification, API key generation and secure storage in 1Password. Use when asked to c...
Usage Guidance
This skill automates account creation and handles very sensitive secrets (email inbox access, passkeys, API keys, and 1Password storage). Before installing or invoking it, ask the publisher to: 1) list required binaries and exact environment variables (Playwright/Chrome, Node, 1Password CLI/OP session env, Proton Bridge/IMAP creds); 2) explain how 1Password authentication is performed (which env var or interactive flow) and confirm it will not leak tokens; 3) avoid writing raw credentials to world-readable temp files (don't write passkeys/API keys to /tmp or at minimum encrypt them and clean up securely); 4) provide a minimal, auditable example run or source code so you can review how private data is handled; and 5) run the skill first in an isolated sandbox account/environment. If the publisher cannot provide those clarifications, treat the skill as high risk for accidental credential exposure or misuse.
Capability Assessment
Purpose & Capability
The skill's claimed purpose—automating signups, email verification, passkey handling, API key generation, and storing secrets in 1Password—matches the content of SKILL.md. However, the skill does not declare any required binaries, environment variables, or credentials (e.g., Playwright/Chromium, 1Password CLI/session token, Proton Bridge or IMAP credentials), even though the instructions clearly require them. That omission is an inconsistency: a legitimate onboarding skill should list the external tools and secrets it needs.
Instruction Scope
The SKILL.md instructs the agent to perform sensitive operations: create browser contexts, add a Playwright CDP virtual authenticator, export WebAuthn credentials to a local file (/tmp/webauthn-creds.json), fetch verification links via an IMAP bridge on localhost, and save API keys into 1Password. These operations access, create, and persist secrets. The instructions do not explain how to authenticate to 1Password or how to protect exported passkey files (which are written to /tmp, often world-readable). The skill also assumes access to a Proton Bridge or local IMAP proxy at 127.0.0.1:1143 without documenting credentials or setup. This scope creep and lack of safe-handling guidance is concerning.
Install Mechanism
There is no install spec (instruction-only), so nothing will be written automatically to disk by an installer — this lowers supply-chain risk. However, the runtime instructions depend on external tooling (browser automation like Playwright/CDP, Node runtime, 1Password CLI, Proton Bridge) and will write temporary files. The absence of an install spec means the skill expects those tools to already exist; the missing dependency declarations are a transparency gap.
Credentials
No environment variables or primary credential are declared, yet the workflow requires secrets and auth to external/local services: IMAP/email credentials or Proton Bridge config, 1Password session tokens or CLI auth, and possibly cloud provider credentials for some services. The skill also writes exported passkeys and presumably API keys to disk before moving them to 1Password. Requesting unspecified credentials or accessing local services without declaring them is disproportionate and raises risk of misconfiguration or accidental secret exposure.
Persistence & Privilege
The skill is not marked always:true and is user-invocable, so it does not have elevated forced persistence. Autonomous invocation is allowed (platform default) but that alone is not flagged. The SKILL.md does instruct writing persistent artifacts (files under /tmp, 1Password entries) but it does not attempt to modify other skills or global agent config.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install web-service-onboarding - After installation, invoke the skill by name or use
/web-service-onboarding - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Security: added security_notes to clarify legitimate usage of network/credential/encoding patterns. Prevents false-positive scanner flags.
v1.0.1
Security metadata: added security_notes clarifying this skill manages the agent's own signup session only, not credential theft. Tightened description wording to avoid false-positive scanner triggers.
v1.0.0
Initial publish: autonomous web service signup with browser automation, credential extraction, 1Password storage
Metadata
Frequently Asked Questions
What is Web Service Onboarding?
Autonomous signup for external web services — browser automation, email verification, API key generation and secure storage in 1Password. Use when asked to c... It is an AI Agent Skill for Claude Code / OpenClaw, with 114 downloads so far.
How do I install Web Service Onboarding?
Run "/install web-service-onboarding" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Web Service Onboarding free?
Yes, Web Service Onboarding is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Web Service Onboarding support?
Web Service Onboarding is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Web Service Onboarding?
It is built and maintained by Nissan Dookeran (@nissan); the current version is v1.0.2.
More Skills