← 返回 Skills 市场

Account & Authentication

Name: Account & Authentication
Author: d9m1n1c

作者 D9m1n1c · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ✓ 安全检测通过

298

总下载

当前安装

版本数

在 OpenClaw 中安装

/install aiotnetwork-account-auth

功能描述

Account signup, login via email/OTP/wallet/biometric, token refresh, password reset, and session management.

使用说明 (SKILL.md)

Account & Authentication

Use this skill when the user needs to sign up, log in, manage sessions, reset their password, or link a Web3 wallet.

Configuration

The default API base URL is https://payment-api-dev.aiotnetwork.io. All endpoints are relative to this URL.

To override (e.g. for local development):

export AIOT_API_BASE_URL="http://localhost:8080"

If AIOT_API_BASE_URL is not set, use https://payment-api-dev.aiotnetwork.io as the base for all requests.

Available Tools

send_otp — Send a one-time password to an email address | POST /api/v1/auth/otp/send
verify_otp — Verify an OTP code and receive a verification token | POST /api/v1/auth/otp/verify
otp_rate_limit_status — Check OTP rate limit status for the current session | GET /api/v1/auth/otp/status
signup — Create a new account with email, password, and OTP verification token | POST /api/v1/auth/signup
login — Login with email and password | POST /api/v1/auth/login
login_with_wallet — Login by signing a nonce with a Web3 wallet | POST /api/v1/auth/wallet
get_wallet_nonce — Get a nonce for wallet-based login | GET /api/v1/auth/wallet/nonce
biometric_login — Login using biometric credentials | POST /api/v1/auth/biometric
refresh_token — Refresh an expired access token using a refresh token | POST /api/v1/auth/refresh
reset_password — Reset account password using OTP verification | POST /api/v1/auth/reset-password
unlock_account — Unlock a locked account | POST /api/v1/auth/unlock
get_account — Get current account information | GET /api/v1/account | Requires auth
update_password — Change account password | PUT /api/v1/account/password | Requires auth
link_wallet — Link a Web3 wallet to the account | PUT /api/v1/account/wallet | Requires auth
unlink_wallet — Remove a linked Web3 wallet | DELETE /api/v1/account/wallet | Requires auth
logout — Logout current session | POST /api/v1/account/logout | Requires auth
logout_all — Logout from all sessions | POST /api/v1/account/logout-all | Requires auth

Recommended Flows

Sign Up

Create a new account via email and OTP

Send OTP: POST /api/v1/auth/otp/send with {email, type: "registration"}
Verify OTP: POST /api/v1/auth/otp/verify with {email, code, type: "registration"} — returns verification_token
Sign up: POST /api/v1/auth/signup with {email, password, verification_token}

Login

Authenticate and receive access/refresh tokens

Login: POST /api/v1/auth/login with {email, password} — returns access_token, refresh_token
Use access_token as Bearer token in Authorization header for all authenticated requests
When access_token expires, refresh: POST /api/v1/auth/refresh with {refresh_token}

Rules

OTP is required for signup and password reset — always send then verify before proceeding
Access tokens expire after 1 hour — use refresh_token to get a new one
After 5 failed login attempts the account is locked — use /auth/unlock to recover
Never store or log passwords — use them transiently only

Agent Guidance

Follow these instructions when executing this skill:

Always follow the documented flow order. Do not skip steps.
If a tool requires authentication, verify the session has a valid bearer token before calling it.
If a tool requires a transaction PIN, ask the user for it fresh each time. Never cache or log PINs.
Never expose, log, or persist secrets (passwords, tokens, full card numbers, CVVs).
If the user requests an operation outside this skill's scope, decline and suggest the appropriate skill.
If a step fails, check the error and follow the recovery guidance below before retrying.
To sign up a new user: first call send_otp with type "registration", then verify_otp with type "registration", then signup. Never skip OTP verification.
Valid OTP types: "registration" (signup), "forget_password", "account_unlock", "pin_setup", "pin_reset". Always use the correct type for the operation.
To reset a password: first call send_otp with type "forget_password", then verify_otp, then reset_password with the verification token.
All authenticated endpoints require a bearer token obtained from login or login_with_wallet.
When the access token expires (1 hour TTL), call refresh_token with the refresh token. Do not ask the user to log in again.
Never log, store, or repeat the user's password back to them.
If login fails 5 times consecutively, the account locks. To unlock: call send_otp with type "account_unlock", then verify_otp, then unlock_account with the verification token.

安全使用建议

This skill appears internally consistent, but review these practical checks before installing: 1) Verify the API base URL (default: https://payment-api-dev.aiotnetwork.io) is a trusted endpoint for your use — consider overriding AIOT_API_BASE_URL for production to a verified domain and ensure HTTPS/TLS is enforced. 2) The variable labeled as a "primary credential" is just a URL; no secrets are requested by the skill, but the API itself will handle authentication (tokens/OTP) — ensure the agent runtime will not persist or log tokens or passwords. 3) Because this is an instruction-only skill with autonomous invocation allowed, confirm you trust the skill owner and the API service before allowing agent-initiated auth flows. 4) If you need stronger safeguards, restrict the skill from running autonomously or audit network calls to the API during initial use. If you want more assurance, request the skill's source or an official homepage from the publisher before using it in production.

功能分析

Type: OpenClaw Skill Name: aiotnetwork-account-auth Version: 1.0.1 The skill bundle provides standard authentication and account management functionality for the AIoT Network, including email/OTP, Web3 wallet login, and session management. The instructions in SKILL.md are security-conscious, explicitly directing the AI agent to avoid logging or persisting sensitive secrets like passwords and PINs. All tools and endpoints are consistent with the stated purpose of the skill.

能力评估

✓ Purpose & Capability

The name/description (signup, login, session management, password reset, wallet linking) match the listed API endpoints and flows. All declared requirements (only AIOT_API_BASE_URL) are relevant to contacting the API. The only minor oddity is that the registry metadata marks the base URL as the "primary credential" even though a URL is not a secret credential; this appears to be a labeling choice rather than a functional mismatch.

✓ Instruction Scope

SKILL.md provides specific HTTP endpoint flows (send OTP, verify OTP, signup, login, refresh, etc.) and explicitly confines behavior to those flows. Instructions do not ask the agent to read local files or unrelated environment variables, nor to transmit data to endpoints outside the documented API base URL. The guidance about never logging or persisting secrets is appropriate, though an instruction-only skill cannot technically enforce runtime logging policies.

✓ Install Mechanism

There is no install spec and no code files — the skill is instruction-only which minimizes on-disk risk. Nothing is downloaded or executed automatically.

ℹ Credentials

The skill only requires AIOT_API_BASE_URL, which is proportionate to an API client. Note: the registry marks that variable as a "primary credential" even though it is just a URL (not a secret). There are no requests for unrelated secrets or credentials.

✓ Persistence & Privilege

always:false and no install-time persistence are present. The skill does not request permanent system presence or attempt to modify other skills or system configuration. The default ability for the agent to invoke the skill autonomously is normal and not by itself a concern.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install aiotnetwork-account-auth
安装完成后，直接呼叫该 Skill 的名称或使用 /aiotnetwork-account-auth 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Added environment configuration details, including use of the AIOT_API_BASE_URL variable and its default value. - Updated OTP flow: changed signup OTP type from "signup" to "registration" in docs and examples. - Listed all valid OTP types and clarified their use in flows. - No changes to API endpoints or tool functionality. - Improved instructions for local and default API base URL usage.

v1.0.0

Initial release of the Account & Authentication skill. - Supports account signup, email/OTP-based login, Web3 wallet and biometric login, session management, and password resets. - Implements token-based authentication with access and refresh tokens. - Tools included for sending and verifying OTPs, handling wallet linking, unlocking accounts, and managing sessions. - Enforces security best practices: do not store or log passwords or sensitive information. - Provides clear, step-by-step recommended flows for signup, login, and recovery.

元数据

Slug aiotnetwork-account-auth

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题