← Back to Skills Marketplace
ivangdavila

Authorization

by Iván · GitHub ↗ · v1.0.0
linuxdarwinwin32 ✓ Security Clean
693
Downloads
2
Stars
3
Active Installs
1
Versions
Install in OpenClaw
/install authorization
Description
Build secure access control with RBAC, ABAC, permissions, policies, and scope-based authorization.
README (SKILL.md)

When to Use

User needs to control what actions users can perform. Agent handles permission design, role hierarchies, policy evaluation, and access control middleware.

Quick Reference

Topic File
RBAC vs ABAC comparison models.md
Implementation patterns patterns.md
Framework middleware middleware.md

Core Rules

1. Auth ≠ Authorization

  • Authentication: Who you are (login, OAuth, tokens)
  • Authorization: What you can do (permissions, roles, policies)
  • Never mix concerns — auth happens BEFORE authorization

2. Principle of Least Privilege

  • Default deny — explicit grants only
  • Users get minimum permissions for their job
  • Audit permissions periodically (revoke unused)
  • Temporary elevation over permanent grants

3. Choose the Right Model

Model Best For Complexity
ACL Simple resource ownership Low
RBAC Organizational hierarchies Medium
ABAC Dynamic context-based rules High
ReBAC Social graphs, sharing High

Start simple → evolve when needed.

4. Role Design Patterns

  • Roles represent jobs, not permissions
  • Max 3 inheritance levels (admin → manager → user)
  • Avoid role explosion — combine with ABAC for edge cases
  • Document role definitions (what can this role DO?)

5. Permission Naming

resource:action:scope
documents:write:own     ← Can edit own documents
documents:write:team    ← Can edit team documents
documents:delete:all    ← Can delete any document

Consistent naming prevents ambiguity.

6. Policy Evaluation Order

  1. Explicit deny → always wins
  2. Explicit allow → checked second
  3. No match → default deny
  4. Log all denials for debugging

7. Never Hardcode

// ❌ Bad — hardcoded role check
if (user.role === 'admin') { ... }

// ✅ Good — permission check
if (can(user, 'settings:update')) { ... }

Roles change. Permissions are stable.

Common Traps

  • Checking roles instead of permissions → brittle when roles change
  • OR logic in permissions → "can edit OR is admin" creates backdoors
  • Caching permissions too long → stale grants after role changes
  • Frontend-only checks → always verify server-side
  • God roles → split "admin" into specific permission sets
  • Circular inheritance → A inherits B inherits A crashes system

Security & Privacy

Data that stays local:

  • All documentation and patterns are reference material
  • No data collection or external requests

This skill does NOT:

  • Access your codebase automatically
  • Make network requests
  • Store any user data

Feedback

  • If useful: clawhub star authorization
  • Stay updated: clawhub sync
Usage Guidance
This skill is documentation and implementation examples for building authorization systems — it does not ask for credentials, perform installs, or make network requests. It's safe to read and use as guidance. When you copy examples into your code, take care to: (1) supply secrets (JWT secret, Redis credentials) from secure environment/storage, not hardcode them; (2) audit and protect any authorization audit logs (they may contain IPs or user agents); and (3) avoid running unfamiliar external commands like 'clawhub sync' without understanding what they do. If you plan to let an autonomous agent modify your codebase using this guidance, ensure the agent has only the minimal file access necessary and does not have access to other credentials or systems.
Capability Analysis
Type: OpenClaw Skill Name: authorization Version: 1.0.0 This skill bundle is benign. It consists entirely of documentation files (`.md`) and metadata (`_meta.json`) providing educational content and best practices for implementing authorization. The `SKILL.md` explicitly states that the skill does not access user code, make network requests, or store user data, and its metadata declares no external binaries are required. There is no executable code, no shell commands, no prompt injection attempts, and no evidence of malicious intent or risky capabilities.
Capability Assessment
Purpose & Capability
Name/description (authorization, RBAC/ABAC patterns, middleware) matches the content: guidance, code snippets, and design patterns. The skill requires no binaries, env vars, or installs, which is proportional for a reference/authoring skill.
Instruction Scope
SKILL.md and the included files are reference material and implementation examples (middleware.md, models.md, patterns.md). They do not instruct the agent to read local files, access environment variables, or make network requests at runtime. Some examples mention secrets (jwt secret) and logging request context; these are illustrative for implementers, not commands for the agent to exfiltrate data.
Install Mechanism
No install specification is present (instruction-only), so nothing will be downloaded or written to disk—lowest installation risk.
Credentials
The skill declares no required environment variables or credentials. Example code references typical implementation artifacts (jwt secret, redis), but the skill doesn't request them. This is proportionate for a design/reference skill.
Persistence & Privilege
always:false and normal model invocation settings. The skill does not request persistent presence or attempt to modify other skills or system-wide settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install authorization
  3. After installation, invoke the skill by name or use /authorization
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Slug authorization
Version 1.0.0
License
All-time Installs 3
Active Installs 3
Total Versions 1
Frequently Asked Questions

What is Authorization?

Build secure access control with RBAC, ABAC, permissions, policies, and scope-based authorization. It is an AI Agent Skill for Claude Code / OpenClaw, with 693 downloads so far.

How do I install Authorization?

Run "/install authorization" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Authorization free?

Yes, Authorization is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Authorization support?

Authorization is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).

Who created Authorization?

It is built and maintained by Iván (@ivangdavila); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments