← Back to Skills Marketplace

专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具，完成Connect to SecondMe OAuth2接入

Name: 专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具，完成Connect to SecondMe OAuth2接入
Author: lijinhongucl-pixel

by Socialite UCL LJH · GitHub ↗ · v1.0.2 · MIT-0

cross-platform ✓ Security Clean

103

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install secondme-connect-miaoda

Description

SecondMe Connect - 数字分身集成器。让百度秒哒应用轻松接入SecondMe生态，一键实现OAuth2登录和完整API调用。3步完成集成，开箱即用。

Usage Guidance

This package is coherent for its stated goal, but follow these safety checks before deploying: - Treat SUPABASE_SERVICE_ROLE_KEY and SECONDME_CLIENT_SECRET as highly sensitive: configure them only in server/Edge Function secrets (e.g., supabase secrets), never commit to source or expose to the frontend. - Rigorously test Row-Level Security (RLS) in your Supabase project: authenticate as different users and confirm SELECT/UPDATE only returns each user's own profile row. If RLS is misconfigured, stored access_tokens could be exposed. - Consider whether the frontend truly needs direct access to the raw SecondMe access_token. If possible, proxy API calls through the Edge Function (server-side) to avoid giving tokens to client code. - Configure ALLOWED_ORIGINS strictly (do not use '*'). Verify the getAllowedOrigins/CORS implementation behaves as you expect in your deployment environment. - Review Edge Function logs and the token-exchange endpoint usage (https://api.mindverse.com...) to ensure tokens are obtained and stored exactly as intended; confirm that the skill is calling the official SecondMe endpoints for your integration. - The registry metadata had a formatting bug for the env listing — rely on SKILL.md and the template files to understand required env vars. - Perform a light code review of the Edge Function's use of supabase.admin APIs (listUsers/createUser/generateLink) and ensure it matches your Supabase plan/ACLs and that magic-link behavior meets your security requirements (token lifetime, revocation). If you are not comfortable managing high-privilege keys or verifying RLS/CORS yourself, involve a developer or security engineer before deploying to production.

Capability Analysis

Type: OpenClaw Skill Name: secondme-connect-miaoda Version: 1.0.2 The skill bundle provides a legitimate OAuth2 integration for the SecondMe ecosystem into Supabase-based applications. It implements standard security practices, including CSRF protection using state parameters in 'LoginButton.tsx', whitelist-based CORS validation in the 'secondme-oauth-callback' Edge Function, and Row Level Security (RLS) for protecting user tokens in 'profiles.sql'. The documentation in 'SKILL.md' and 'INTEGRATION.md' explicitly highlights the risks of high-privilege keys (SUPABASE_SERVICE_ROLE_KEY) and provides clear instructions on secure configuration. No evidence of intentional malice, data exfiltration, or unauthorized execution was found.

Capability Tags

requires-oauth-token

Capability Assessment

✓ Purpose & Capability

The name/description (SecondMe OAuth2 + API integration for 百度秒哒 apps) match the included templates and runtime instructions: front-end React components, a Supabase-backed profiles table, and an Edge Function that exchanges code for tokens and creates/updates Supabase users. The required binaries (node, npm) and the requested env vars (Supabase URLs/keys, SecondMe client id/secret, redirect URIs, ALLOWED_ORIGINS) are appropriate and expected for this purpose.

ℹ Instruction Scope

SKILL.md and the Edge Function code stay within the stated purpose: they perform OAuth code->token exchange, persist tokens to the profiles table, and generate a magic link for sign-in. One notable design choice: user access_tokens are stored in profiles.secondme_access_token and the front-end is allowed to read the user's own token (protected by RLS). This is an explicit tradeoff (direct client calls to SecondMe) and increases risk if RLS is misconfigured — the docs repeatedly warn about this and instruct testing, but the deployment must carefully validate RLS and CORS.

✓ Install Mechanism

There is no remote install/download step; this is an instruction-only/template package containing source files for developers to copy into their project. No external arbitrary archives or network-based installers are pulled by the skill itself.

ℹ Credentials

The skill requests multiple secrets (SUPABASE_SERVICE_ROLE_KEY, SECONDME_CLIENT_SECRET) which are high-privilege but necessary for the Edge Function to create/update Supabase users and perform server-side token exchanges. The number of env vars is justified by the architecture, but operational caution is required: the service role key must be kept secret and only put into server/Edge Function environment (not in repos or frontend). Also note the manifest bit in the registry showed 'Required env vars: [object Object]' (formatting bug) — rely on SKILL.md for the accurate list.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or global agent settings. It needs no persistent elevated platform privileges beyond the expected use of a Supabase service key inside an Edge Function (which is declared and documented).

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install secondme-connect-miaoda
After installation, invoke the skill by name or use /secondme-connect-miaoda
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.2

**v1.0.2** - 明确文档：详细说明 SecondMe access_token 存储于数据库，受 RLS 策略保护，前端可读取自身 token。 - 补充安全建议：新增 RLS 策略示例和验证步骤，提醒验证策略正确性。 - 更新 CORS 配置说明：强调必须限制 ALLOWED_ORIGINS，避免 token 泄露风险。 - 删除“无明文 access_token 返回”描述，与实际前端可读 token 行为保持一致。 - 响应安全审查，聚焦于 access_token 管理与安全防护的细节披露。

v1.0.1

# Changelog for secondme-connect-miaoda v1.0.1 - Added introductory documentation: `INTRODUCTION.md` file now included. - No changes to functionality; documentation addition only.

v1.0.0

secondme-connect-miaoda v1.0.0 - 首发版本，完整集成 SecondMe OAuth2 登录与 API 调用能力 - 提供 Edge Function 示例、前端 React 组件和数据库脚本 - 支持百度秒哒应用一键集成 SecondMe 登录和多种 API 功能（聊天、记忆、广场等） - 附带详细快速集成指南和故障排查文档

Metadata

Slug secondme-connect-miaoda

Version 1.0.2

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 3

Frequently Asked Questions

What is 专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具，完成Connect to SecondMe OAuth2接入?

SecondMe Connect - 数字分身集成器。让百度秒哒应用轻松接入SecondMe生态，一键实现OAuth2登录和完整API调用。3步完成集成，开箱即用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 103 downloads so far.

How do I install 专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具，完成Connect to SecondMe OAuth2接入?

Run "/install secondme-connect-miaoda" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is 专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具，完成Connect to SecondMe OAuth2接入 free?

Yes, 专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具，完成Connect to SecondMe OAuth2接入 is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does 专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具，完成Connect to SecondMe OAuth2接入 support?

专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具，完成Connect to SecondMe OAuth2接入 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created 专为百度秒哒应用打造的SecondMe OAuth2登录和API集成工具，完成Connect to SecondMe OAuth2接入?

It is built and maintained by Socialite UCL LJH (@lijinhongucl-pixel); the current version is v1.0.2.

More Skills