← Back to Skills Marketplace
219
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install mcp-oauth
Description
Add OAuth 2.0 PKCE authentication to a remote MCP server. Use this skill whenever the user wants to add authentication to an MCP server, protect MCP tools wi...
Usage Guidance
This skill appears to implement an OAuth PKCE flow for MCP servers, but the package metadata omits the real runtime requirements. Before installing or using it, ask the author (or require the skill to document) the exact environment/config needed: - Which env vars are required (e.g., NEXT_PUBLIC_SITE_URL, REDIS_URL, upstream provider client_id and client_secret if any)? - What npm packages must be installed (mcp-handler, Next.js dependencies)? - Where are tokens/sessions stored and how should they be secured (Redis config, TLS, access controls)? - Confirm the intended redirect_uri whitelist and whether 'none' auth on token endpoint is acceptable for your upstream provider. Also: do not deploy this to production until you verify TLS is enforced, secrets are stored in a secure vault, and the Redis instance is access-controlled. If the author provides a clear list of required env vars, dependency list, and secure deployment instructions, many of the concerns above would be resolved.
Capability Analysis
Type: OpenClaw Skill
Name: mcp-oauth
Version: 1.0.0
The skill provides a legitimate and well-structured template for implementing OAuth 2.0 PKCE authentication in Model Context Protocol (MCP) servers. It includes standard implementation patterns for discovery, dynamic client registration, and token exchange using Next.js API routes and Redis for session storage. No malicious code, data exfiltration, or harmful prompt injection attempts were found in SKILL.md or the associated logic.
Capability Assessment
Purpose & Capability
The name/description claim to add OAuth PKCE to an MCP server and the instructions implement that. However the SKILL.md references Redis, Next.js route files, the mcp-handler library, and runtime env vars (e.g., NEXT_PUBLIC_SITE_URL) and implicitly expects upstream OAuth client IDs/secrets or provider metadata. The registry metadata lists no required env vars, binaries, or dependencies, which is inconsistent with the implementation work the instructions describe.
Instruction Scope
The runtime instructions tell the implementer/agent to create endpoints that store sessions and tokens in Redis, perform dynamic client registration, handle PKCE flows, and perform redirects to upstream OAuth providers. The SKILL.md reads environment variables (NEXT_PUBLIC_SITE_URL and uses an undeclared redis object) and assumes network calls to third-party OAuth providers. It does not explicitly list or require the Redis connection string, upstream client credentials, or other sensitive config—so the instruction scope accesses and handles sensitive data without declaring or justifying the required secrets or configuration steps.
Install Mechanism
No install spec and no code files beyond SKILL.md and evals.json: this is instruction-only, so nothing will be automatically downloaded or executed by the installer. That's the lowest install risk.
Credentials
The manifest declares no required environment variables or credentials, but the instructions clearly rely on runtime configuration (site URL, Redis connection, likely provider client IDs/secrets, possibly callback URLs). That absence is a red flag: code that manages OAuth tokens and sessions normally needs secrets and secure storage; the skill neither declares nor explains them, so required privileges and secrets are under-specified and could be misapplied.
Persistence & Privilege
always is false, the skill is user-invocable and can be invoked autonomously (the platform default). The skill doesn't request permanent agent-wide privileges or attempt to modify other skills or system-wide configs.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install mcp-oauth - After installation, invoke the skill by name or use
/mcp-oauth - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of mcp-oauth, providing OAuth 2.0 PKCE authentication for remote MCP servers.
- Implements OAuth discovery, dynamic client registration, authorization endpoint, token exchange, and refresh flows as per MCP authorization spec.
- Includes code samples for Next.js server routes to enable:
- Standards-based OAuth discovery and protected resource metadata endpoints.
- Dynamic client registration (RFC 7591).
- Secure authorization and callback logic for integrating with upstream OAuth services.
- Protects MCP endpoints and tools with user-level token-based access.
- Designed to trigger for any user request regarding adding authentication or OAuth to an MCP server.
Metadata
Frequently Asked Questions
What is MCP OAuth?
Add OAuth 2.0 PKCE authentication to a remote MCP server. Use this skill whenever the user wants to add authentication to an MCP server, protect MCP tools wi... It is an AI Agent Skill for Claude Code / OpenClaw, with 219 downloads so far.
How do I install MCP OAuth?
Run "/install mcp-oauth" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is MCP OAuth free?
Yes, MCP OAuth is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does MCP OAuth support?
MCP OAuth is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created MCP OAuth?
It is built and maintained by Luca (@lucaperret); the current version is v1.0.0.
More Skills