← Back to Skills Marketplace
OAuth Providers
by
maverick-software
· GitHub ↗
· v1.1.0
367
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install oauth-providers
Description
Adds an "OAuth" settings tab to the OpenClaw Control UI for connecting AI model providers. Supports Anthropic Claude Pro/Max subscription tokens (setup-token...
Usage Guidance
This skill appears to do what it says: add an OAuth/API-key UI and store credentials in OpenClaw's auth and secrets stores. Before installing, consider the following:
- It will read ~/.claude/.credentials.json (Claude CLI) if you use the Anthropic auto-detect feature and copy that token into OpenClaw — only enable auto-detect if you trust this behavior.
- Credentials are written to OpenClaw config/secrets (auth-profiles.json, ~/.openclaw/secrets.json). Make backups if you want to revert changes.
- OAuth manual fallback requires pasting the full redirect URL (contains codes/state). Avoid pasting such URLs into untrusted UIs or shared clipboards.
- The gateway uses a third-party package (@mariozechner/pi-ai) via dynamic import; ensure that dependency in your environment comes from a trusted source before using the OAuth flow.
- Logs may include short token prefixes in error messages (the code prints the token start in some errors). If that concerns you, review/modify logging before use.
If you are comfortable with these behaviors (reading Claude CLI creds, writing to OpenClaw auth/secrets, and relying on the external pi-ai package), the skill is coherent with its stated purpose. If you need higher assurance, review the included TypeScript files and the provenance of @mariozechner/pi-ai before enabling the feature.
Capability Analysis
Type: OpenClaw Skill
Name: oauth-providers
Version: 1.1.0
The skill provides legitimate AI provider credential management but employs high-risk capabilities, such as reading sensitive access tokens from the Claude CLI configuration file (~/.claude/.credentials.json) and instructing the AI agent to execute Python scripts and system commands (systemctl) for troubleshooting. While these actions are aligned with the stated purpose and lack evidence of malicious intent or data exfiltration, the direct access to external application secrets and the use of agent-led shell execution for configuration management meet the criteria for a suspicious classification under the provided rubric.
Capability Assessment
Purpose & Capability
Name/description align with the code and SKILL.md: the UI view, controller, and gateway RPCs implement OAuth, subscription-token, and API-key storage for Anthropic, OpenAI (Codex PKCE), Google, and OpenRouter. The actions (reading ~/.claude, writing auth-profiles and secrets, invoking a PKCE flow) are expected for this feature.
Instruction Scope
Instructions and code stay within the stated purpose but do include reading another tool's credentials (~/.claude/.credentials.json) for an auto-detect feature and accept pasted redirect URLs for OAuth manual completion. Those behaviors are documented in SKILL.md and implemented in code; users should be aware this imports tokens from the Claude CLI into OpenClaw's auth store.
Install Mechanism
No install spec / no arbitrary remote downloads. The code dynamically imports an external package (@mariozechner/pi-ai) at runtime; if that package is required it must be present in the runtime environment (the code handles a missing package by returning an error). No extract-from-URL installs or unknown binary downloads are present in the skill bundle.
Credentials
The skill declares no required env vars but writes API keys into OpenClaw's secrets store and the mapping uses environment variable names (ANTHROPIC_API_KEY, OPENAI_API_KEY, GOOGLE_API_KEY, OPENROUTER_API_KEY). It also reads/writes local config and agent store files (auth-profiles.json, openclaw config, secrets.json). These accesses are proportionate to credential management, but users should expect these files to be modified and tokens copied into OpenClaw's encrypted stores.
Persistence & Privilege
always:false and user-invocable:true; the skill registers gateway RPC handlers and writes auth profiles/config when invoked, but it does not request permanent inclusion or modify other skills. Autonomous invocation is allowed by default but not combined here with other elevated privileges.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install oauth-providers - After installation, invoke the skill by name or use
/oauth-providers - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
WSL2 manual-paste fallback, Anthropic auto-detect, auth order architecture docs, badge rendering reference, stale order troubleshooting guide
v1.0.0
Initial release — Anthropic subscription token, OpenAI Codex PKCE OAuth, and API key flows for the OpenClaw Control UI OAuth settings tab
Metadata
Frequently Asked Questions
What is OAuth Providers?
Adds an "OAuth" settings tab to the OpenClaw Control UI for connecting AI model providers. Supports Anthropic Claude Pro/Max subscription tokens (setup-token... It is an AI Agent Skill for Claude Code / OpenClaw, with 367 downloads so far.
How do I install OAuth Providers?
Run "/install oauth-providers" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is OAuth Providers free?
Yes, OAuth Providers is completely free (open-source). You can download, install and use it at no cost.
Which platforms does OAuth Providers support?
OAuth Providers is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created OAuth Providers?
It is built and maintained by maverick-software (@maverick-software); the current version is v1.1.0.
More Skills