← Back to Skills Marketplace
376
Downloads
0
Stars
3
Active Installs
3
Versions
Install in OpenClaw
/install auth-guard
Description
Standardize API credential handling and startup auth checks to prevent "missing key" regressions across sessions. Use when an agent repeatedly loses auth sta...
README (SKILL.md)
Auth Guard
Enforce a deterministic auth path: one credential source, one helper command path, one startup check, one fallback policy.
Quick Workflow
- Identify the target service endpoint and current failing flow.
- Define canonical credential source (env var first, credentials file second).
- Create/update a helper script in workspace (
.pi/) that always injects auth. - Add a startup/auth-check command that verifies credentials and endpoint access.
- Update HEARTBEAT.md or AGENTS.md to require helper usage (ban raw unauthenticated calls).
- Add explicit fallback behavior for unauthorized states.
Rules to Apply
- Prefer
ENV_VARoverride, then~/.config/\x3Cservice>/credentials.json. - Never embed secrets in logs, memory notes, or chat responses.
- Never call protected endpoints via raw curl if a helper exists.
- Keep fallback behavior explicit and low-noise.
- Store helper scripts in
workspace/.pi/for easy reuse.
Runtime Requirements
bashcurlpython3
Check once before using this skill:
command -v bash curl python3 >/dev/null
Safety Limits
- Pass only trusted credential paths under
~/.config/\x3Cservice>/...by default. - Do not point
--cred-fileat arbitrary workspace files or unrelated secret stores. - Keep probe URLs scoped to the target service auth endpoint.
Startup Auth Check Pattern
Run at session start (or before heartbeat loops):
bash skills/auth-guard/scripts/auth_check.sh \
--service moltbook \
--url 'https://www.moltbook.com/api/v1/feed?sort=new&limit=1' \
--env-var MOLTBOOK_API_KEY \
--cred-file "$HOME/.config/moltbook/credentials.json"
Expected outcomes:
AUTH_OK→ proceed with normal authenticated helper flow.AUTH_MISSINGorAUTH_FAIL_*→ use defined fallback path and record one concise note.
Reusable Snippets
Use drop-in policy snippets from:
references/snippets.md(HEARTBEAT + AGENTS + helper policy blocks)
References
references/contract.mdfor the full Keychain Contract patternreferences/snippets.mdfor ready-to-paste operational snippetsreferences/examples.mdfor multi-service usage examples (Moltbook, GitHub, Slack)
Usage Guidance
This skill appears coherent and limited to auth-probing behavior. Before installing or running: (1) review the included scripts in skills/auth-guard/scripts/auth_check.sh and any helper templates you copy into workspace/.pi/ so you understand what will be executed; (2) only pass probe URLs you trust and that belong to the target service (the script requires https://); (3) keep credential files under ~/.config/ as advised and ensure those files have appropriate filesystem permissions; (4) when adding the helper to HEARTBEAT.md/AGENTS.md, ensure teammates know the canonical retrieval order (env var first) so no automation unintentionally loses access; (5) if you plan to use helper scripts that read other local credential formats (e.g., gh/gh auth), integrate those carefully rather than pointing --cred-file at arbitrary workspace files.
Capability Analysis
Type: OpenClaw Skill
Name: auth-guard
Version: 1.1.1
The 'auth-guard' skill is designed to standardize and verify API credential handling for an AI agent. It includes a bash script (scripts/auth_check.sh) that validates credentials from environment variables or local configuration files (~/.config/) and performs a connectivity check via curl. The skill includes several security-conscious features, such as enforcing HTTPS for probe URLs, restricting credential file access to the user's config directory, and explicit instructions in SKILL.md and references/contract.md to never log or expose raw secrets.
Capability Assessment
Purpose & Capability
Name/description, examples, SKILL.md, and scripts all focus on performing an auth probe for protected endpoints and establishing helper scripts. The included script accepts a service name, probe URL, env-var name, and credentials file — exactly what an auth-check tool needs. No unrelated resources (cloud creds, extra binaries, or external services) are requested.
Instruction Scope
Runtime instructions and the provided script limit actions to reading an env var or a credentials JSON (under ~/.config/*), probing an HTTPS endpoint with curl, and returning a short status string. The SKILL.md explicitly warns against logging secrets and against pointing cred-file at arbitrary workspace files. There is no instruction to collect or transmit secrets elsewhere.
Install Mechanism
No install spec; this is instruction-only with one included helper script. Nothing is downloaded or written by an installer. Risk is limited to executing the provided script (which the user can review).
Credentials
The registry metadata declares no required env vars or primary credential. The script takes an env-var name as a parameter and checks a credentials file path supplied at runtime; it does not demand unrelated secrets. It also enforces that credential files must live under $HOME/.config/, reducing the chance of reading arbitrary workspace secrets.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent or elevated privileges, nor does it modify other skills' configs. It asks users to place helper scripts in workspace/.pi/, which is normal for helper tooling and something the user should review before executing.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install auth-guard - After installation, invoke the skill by name or use
/auth-guard - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.1
Tightened auth probe safety limits and fixed Moltbook URL normalization to eliminate false unauthorized checks.
v1.0.1
auth-guard 1.0.1 — No visible changes
- No file changes were detected in this version.
- Documentation, rules, and workflow remain the same as the previous release.
- No updates to code, scripts, or reference materials.
v1.0.0
Initial release of auth-guard — a standardized approach to API credential handling and startup authentication checks.
- Enforces a single credential source and deterministic startup auth check to prevent "missing key" regressions.
- Provides a recommended workflow: credential sourcing, helper scripts, startup checks, and fallback policy.
- Includes rules for secure, reusable helper script usage and explicit unauthorized fallback handling.
- Supplies a standard startup auth check pattern and example script invocation.
- Offers reference snippets and contracts for easy integration into agent workflows and documentation.
Metadata
Frequently Asked Questions
What is Auth Guard?
Standardize API credential handling and startup auth checks to prevent "missing key" regressions across sessions. Use when an agent repeatedly loses auth sta... It is an AI Agent Skill for Claude Code / OpenClaw, with 376 downloads so far.
How do I install Auth Guard?
Run "/install auth-guard" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Auth Guard free?
Yes, Auth Guard is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Auth Guard support?
Auth Guard is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Auth Guard?
It is built and maintained by Ada Vale (@adainthelab); the current version is v1.1.1.
More Skills