← Back to Skills Marketplace

OpenBotAuth

Name: OpenBotAuth
Author: hammadtq

by hammadtq · GitHub ↗ · v0.1.1

cross-platform ⚠ suspicious

1241

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install openbotauth

Description

Get a cryptographic identity for your AI agent. Generate Ed25519 keys, sign your work, prove who you are — across any platform.

Usage Guidance

This skill largely does what it says (generate an Ed25519 keypair, store it locally, and register it with an OBA service), but before installing: 1) Confirm you have Node.js (v18+), curl and optionally openssl available — the SKILL.md requires them though the manifest does not declare them. 2) Verify the legitimacy of https://openbotauth.org and its token issuance flow before pasting any bearer token (the skill asks you to log in via GitHub and paste a token). 3) Understand that your private key will be stored unencrypted in ~/.config/openbotauth/key.json and a temporary token in ~/.config/openbotauth/token (the skill recommends deleting the token afterward) — protect those files and consider generating keys offline. 4) Prefer to run the provided node/curl commands locally yourself rather than pasting sensitive tokens into a chat window or allowing an autonomous agent to handle them. 5) Ask the publisher for source/homepage or a repository so you can audit the registration step and confirm the API endpoints used. If you cannot validate the remote service or the publisher, consider running the commands in a sandboxed environment or decline to install.

Capability Analysis

Type: OpenClaw Skill Name: openbotauth Version: 0.1.1 The skill implements a cryptographic identity system for AI agents, including key generation, registration, and request signing. It is classified as suspicious due to the implementation of a local HTTPS Man-in-the-Middle (MITM) proxy within `/tmp/openbotauth-proxy.mjs`. This proxy generates a local Certificate Authority (`~/.config/openbotauth/ca/ca.key`) and per-domain certificates using `openssl` to intercept and sign HTTPS traffic. While the skill demonstrates strong security awareness through robust input validation (`isValidHostname`), use of `execFileSync` with array arguments to prevent shell injection, secure file permissions (`0o600`), and explicit warnings about the sensitive nature of the CA key and token handling (including token deletion after registration), the inherent high-risk capability of a local MITM proxy warrants a 'suspicious' classification. There is no evidence of malicious intent, but the powerful nature of the operations performed is significant.

Capability Assessment

⚠ Purpose & Capability

The skill's stated purpose (create and register an Ed25519 identity and sign HTTP requests) matches the SKILL.md instructions (generate keys, register with an OBA API, store keys locally). However the metadata claims no required binaries while the runtime instructions explicitly require Node.js (v18+), curl and optionally openssl. That mismatch is an incoherence: an agent or integrator would need Node/curl to run the provided commands, yet the manifest declares none.

ℹ Instruction Scope

Instructions are focused on key generation, local storage (~/.config/openbotauth/key.json), and one-time registration using a user-provided token. They explicitly warn not to keep the bearer token in the browsing runtime and to delete the token after registration. The skill tells the user to paste a token obtained from an external site (https://openbotauth.org/token) and to save registration info to agent memory/notes. These actions are consistent with the stated goal, but they involve handling sensitive material (private key and bearer token) and instruct the agent to write secrets to disk and to agent memory — the user should confirm they are comfortable with that and ensure the agent's memory is protected.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code files, so nothing will be downloaded or written by an installation step. That reduces installer risk. The runtime still relies on local execution of Node/curl/openssl commands per SKILL.md.

✓ Credentials

The skill requests no environment variables or external credentials in the manifest. The runtime requires the user to supply a one-time OpenBotAuth bearer token (obtained through the external site) for registration and stores it temporarily under ~/.config/openbotauth/token. Requesting that token is proportional to the registration step, but the skill's manifest should have declared the runtime requirement for Node/curl/openssl and should explicitly warn about the sensitive nature of the token/private key.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or global agent settings. It writes files only under the user's home directory (~/.config/openbotauth) which is appropriate for identity material. The SKILL.md advises secure file permissions (0700/0600) and to delete the token after use.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install openbotauth
After installation, invoke the skill by name or use /openbotauth
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.1

- Updated JWKS endpoint — changed from /agent-jwks/{id}.json to /jwks/{username}.json - Added Token Handling Contract — documents bearer token lifecycle (registration-only, delete after) - Added Compatibility Modes section — Core Mode (CLI) vs Browser Mode with security guidance - Added Token Safety Rules table — do/don't guidance for token handling - Added Runtime Compatibility table — support matrix for Claude Code, agent-browser, OpenClaw, CUA, skills.sh - Registration script hardened: - Added redirect: 'error' to prevent token leakage on redirects - Writes config.json with agent_id, username, jwksUrl - Deletes token after successful registration - Fetches /auth/session to resolve username for JWKS URL - Proxy security hardened: - Changed execSync to execFileSync (prevents command injection) - Added strict hostname validation regex - Added hash-based cert filenames (prevents path traversal) - Added port validation (1-65535) - Added Official Packages section — links to @openbotauth/verifier-client, registry-signer, bot-cli, proxy - Added strict verifier note — points to @openbotauth/bot-cli and openbotauth-demos/packages/signing-ts - Enterprise SSO section — rewritten as roadmap spec (no runnable code, marked "not yet implemented") - Proxy limitations — added IP hostname mitigation guidanc

v0.1.0

- Initial release of openbotauth skill for cryptographic identity management. - Enables Ed25519 keypair generation and management for AI agents. - Provides step-by-step setup: keypair generation, token retrieval, agent registration, public JWKS endpoint activation, and signing/verifying payloads. - Portable identity: sign and prove authenticity across multiple platforms using a single identity. - Security guidance included to protect private keys and tokens.

Metadata

Slug openbotauth

Version 0.1.1

License —

All-time Installs 2

Active Installs 2

Total Versions 2

Frequently Asked Questions

What is OpenBotAuth?

Get a cryptographic identity for your AI agent. Generate Ed25519 keys, sign your work, prove who you are — across any platform. It is an AI Agent Skill for Claude Code / OpenClaw, with 1241 downloads so far.

How do I install OpenBotAuth?

Run "/install openbotauth" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is OpenBotAuth free?

Yes, OpenBotAuth is completely free (open-source). You can download, install and use it at no cost.

Which platforms does OpenBotAuth support?

OpenBotAuth is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created OpenBotAuth?

It is built and maintained by hammadtq (@hammadtq); the current version is v0.1.1.

More Skills