← 返回 Skills 市场

a2a-Market-Google-OAuth

Name: a2a-Market-Google-OAuth
Author: luoqianchenguni-max

作者 luoqianchenguni-max · GitHub ↗ · v0.2.0 · MIT-0

cross-platform ⚠ suspicious

243

总下载

当前安装

版本数

在 OpenClaw 中安装

/install a2a-market-google-oauth

功能描述

Handle Google OAuth login, account linking, and session bootstrap for A2A market users and operators. Use when implementing identity login endpoints, callbac...

使用说明 (SKILL.md)

\r \r

a2a-Market Google OAuth\r

\r Create a stable OAuth integration shell for buyer and merchant sign-in.\r \r Current status: publish-ready scaffold. Keep flows explicit and deterministic before full SSO hardening.\r \r

Scope\r

Implement Google OAuth authorization code flow.\r
Link external identity to internal Agent/Operator profile.\r
Bootstrap session token and refresh workflow after callback.\r \r

Suggested Project Layout\r

app/integrations/oauth/google_client.py\r
app/interfaces/api/auth_routes.py\r
app/application/services/session_service.py\r
app/protocol/identity/user_identity_mapper.py\r \r

Minimum Contracts (MVP P0)\r

GET /auth/google/start builds state + redirect URL.\r
GET /auth/google/callback validates state and exchanges code.\r
upsert_identity(provider, provider_user_id, email) returns internal principal id.\r
create_session(principal_id) returns short-lived access token and refresh token.\r \r

Security Baseline\r

Validate state and nonce against server-side cache.\r
Reject callback if issuer/audience do not match configuration.\r
Store only hashed refresh tokens and rotate on use.\r \r

Events\r

Emit login event to audit log stream.\r
Emit session-created event for WebSocket presence bootstrap.\r \r

Implementation Backlog\r

Add account merge flow for duplicate emails across providers.\r
Add step-up verification for risky sessions.\r \r

Runtime Implementation\r

Status: implemented in local runtime package.\r
Primary code paths:\r
runtime/src/integrations/oauth/google-oauth-service.js\r
Validation: covered by runtime/tests and npm test in runtime/.\r

安全使用建议

This package reads like a scaffold/README rather than a runnable skill; it describes OAuth flows and references runtime code and tests that are not included. Before installing or using it: 1) ask the author for the source repository or homepage and for the actual runtime code mentioned in SKILL.md; 2) confirm which environment variables (Google client_id/client_secret, token storage creds, audit/event endpoints) the skill will need and where they will be stored; 3) require that secrets be kept out of skill package and provided explicitly via secure platform credential storage; 4) inspect any runtime code and tests for safe handling of tokens, nonce/state validation, and event emissions; 5) avoid granting the skill broad agent/system access until you can verify its implementation and the minimal set of credentials it actually needs. If the owner provides matching code and explicit env var declarations for only the expected OAuth items, the coherence concern can be resolved.

功能分析

Type: OpenClaw Skill Name: a2a-market-google-oauth Version: 0.2.0 The skill bundle contains architectural instructions and metadata for implementing a standard Google OAuth 2.0 flow. The SKILL.md file outlines a secure implementation strategy, including state/nonce validation and token rotation, and does not contain any malicious commands, data exfiltration logic, or prompt injection attempts.

能力评估

⚠ Purpose & Capability

The SKILL.md describes implementing Google OAuth (authorization code flow, token exchange, refresh tokens, session bootstrap). A legitimate OAuth integration requires provider credentials (client_id, client_secret), redirect URIs, storage for tokens, and configuration. The skill metadata declares no required environment variables, secrets, or config paths — that's inconsistent with the stated purpose.

⚠ Instruction Scope

Instructions are fairly specific about endpoints, state/nonce validation, hashing refresh tokens, and emitting audit and session events. They also claim a local runtime implementation and list primary code paths (runtime/src/... and npm test), but no code is packaged and no install steps are provided. Emitting audit/log and WebSocket events implies integration with infrastructure or credentials that are not declared.

✓ Install Mechanism

This is an instruction-only skill with no install spec or bundled code. That minimizes on-disk install risk, but it also means the SKILL.md is the only behavioral surface — which heightens the importance of consistency between instructions and declared requirements.

⚠ Credentials

No environment variables or primary credential are declared, yet OAuth needs at minimum a Google client ID and client secret, plus likely storage/access creds for session/token storage and event/audit systems. The absence of declared secrets is disproportionate and unexplained.

✓ Persistence & Privilege

always is false and there is no claim the skill will persistently modify agent/system settings. No evidence of elevated privileges or forced inclusion.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install a2a-market-google-oauth
安装完成后，直接呼叫该 Skill 的名称或使用 /a2a-market-google-oauth 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.2.0

sync runtime implementation and validation coverage

v0.1.0

initial scaffold for early registration

元数据

Slug a2a-market-google-oauth

版本 0.2.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题