← 返回 Skills 市场
1270
总下载
3
收藏
10
当前安装
4
版本数
在 OpenClaw 中安装
/install auth
功能描述
Build secure authentication with sessions, JWT, OAuth, passwordless, MFA, and SSO for web and mobile apps.
使用说明 (SKILL.md)
Documentation-Only Skill
This skill is a reference guide. It contains code examples that demonstrate authentication patterns.
Important: The code examples in this skill:
- Are templates for developers to adapt
- Show placeholder values (SECRET, API_KEY, etc.)
- Reference external services as examples only
- Are NOT executed by the agent
The agent provides guidance. The developer implements in their own project.
When to Use
User needs guidance on implementing authentication. Agent explains patterns for login flows, token strategies, password security, OAuth integration, and session management.
Quick Reference
| Topic | File |
|---|---|
| Session vs JWT strategies | strategies.md |
| Password handling | passwords.md |
| MFA implementation | mfa.md |
| OAuth and social login | oauth.md |
| Framework middleware | middleware.md |
Scope
This skill ONLY:
- Explains authentication concepts
- Shows code patterns as examples
- Provides best practice guidance
This skill NEVER:
- Executes code
- Makes network requests
- Accesses credentials
- Stores data
- Reads environment variables
Note on Code Examples
Code examples in auxiliary files show:
- Environment variables like
process.env.JWT_SECRET- these are placeholders - API calls to OAuth providers - these are reference patterns
- Secrets like
SECRET,REFRESH_SECRET- these are example names
The agent does not have access to these values. They demonstrate what the developer should configure in their own project.
Core Rules
1. Auth vs Authorization
- Authentication: Who you are (this skill)
- Authorization: What you can do (different concern)
- Auth happens FIRST, then authorization checks permissions
2. Choose the Right Strategy
| Use Case | Strategy | Why |
|---|---|---|
| Traditional web app | Sessions + cookies | Simple, instant revocation |
| Mobile app | JWT (short-lived) + refresh token | No cookies, offline support |
| API/microservices | JWT | Stateless, scalable |
| Enterprise | SSO (SAML/OIDC) | Central identity management |
| Consumer | Social login + email fallback | Reduced friction |
3. Never Roll Your Own Crypto
- Use bcrypt (cost 12) or Argon2id for passwords
- Use battle-tested libraries for JWT, OAuth
- Never implement password hashing, token signing manually
- Never store plaintext or reversibly encrypted passwords
4. Defense in Depth
Rate limiting -> CAPTCHA -> Account lockout -> MFA -> Audit logging
5. Secure by Default
- httpOnly + Secure + SameSite=Lax for cookies
- Short token lifetimes (15min access, 7d refresh)
- Regenerate session ID on login
- Require re-auth for sensitive operations
6. Fail Securely
// Bad - reveals if email exists
if (!user) return { error: 'User not found' };
// Good - same error for both cases
if (!user || !validPassword) {
return { error: 'Invalid credentials' };
}
7. Log Everything (Except Secrets)
| Log | Do Not Log |
|---|---|
| Login success/failure | Passwords |
| IP, user agent, timestamp | Tokens |
| MFA events | Session IDs |
| Password changes | Recovery codes |
Common Traps
- Storing passwords with MD5/SHA1 - use bcrypt or Argon2id
- JWT with long expiry (30d) - use short access + refresh token
- Revealing if email exists - use generic error message
- Hard account lockout - enables denial of service
- SMS for MFA - vulnerable to SIM swapping
- No rate limiting on login - enables brute force
Feedback
- If useful:
clawhub star auth - Stay updated:
clawhub sync
安全使用建议
This is a documentation/reference skill — safe to install from a capability perspective. Important cautions: do not paste real secrets (API keys, private keys, JWT secrets) into chat when asking for help; treat code snippets as templates and review/adapt them before copying into production (verify token handling, encryption, storage and network calls). The skill itself does not request credentials or execute code, but any code you implement from the examples will run in your environment and must be secured accordingly.
功能分析
Type: OpenClaw Skill
Name: auth
Version: 1.3.0
The skill bundle is explicitly declared as a 'Documentation-Only Skill' across multiple files, including SKILL.md and all auxiliary markdown files containing code examples. It clearly states that the agent 'NEVER: Executes code, Makes network requests, Accesses credentials, Stores data, Reads environment variables'. The code examples provided are for reference and educational purposes, using placeholders for sensitive values. There is no evidence of malicious intent, prompt injection attempts against the agent for harmful actions, or any risky capabilities being executed by the agent itself.
能力评估
Purpose & Capability
Name/description (authentication patterns: sessions, JWT, OAuth, MFA, SSO) matches the content: extensive example code and design guidance. No unexpected binaries, env vars, or secrets are requested by the skill metadata.
Instruction Scope
SKILL.md and auxiliary files are explicit that examples are reference-only, not executed, and that the agent should not access credentials, make network calls, or read environment variables. The examples show network calls and env-var placeholders, which is expected for a developer reference and do not indicate hidden runtime actions.
Install Mechanism
No install spec and no code files that would be written/executed on the host. Lowest-risk form (instruction-only).
Credentials
The skill declares no required environment variables or credentials. Example snippets reference placeholders like process.env.JWT_SECRET, but these are documented as developer-side placeholders and not requested by the skill itself.
Persistence & Privilege
Skill is not always-enabled and does not request persistent privileges or modify other skills/config. Model-invocation is allowed (platform default) but the skill has no autonomy-sensitive artifacts to act on.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install auth - 安装完成后,直接呼叫该 Skill 的名称或使用
/auth触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.0
Added documentation-only disclaimer, clarified example code does not execute
v1.2.0
Added explicit Scope section, clarified that code examples are reference patterns
v1.1.0
Complete rewrite with comprehensive coverage: strategies (sessions vs JWT), passwords, MFA, OAuth, and framework middleware
v1.0.0
Initial release
元数据
常见问题
Auth 是什么?
Build secure authentication with sessions, JWT, OAuth, passwordless, MFA, and SSO for web and mobile apps. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1270 次。
如何安装 Auth?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install auth」即可一键安装,无需额外配置。
Auth 是免费的吗?
是的,Auth 完全免费(开源免费),可自由下载、安装和使用。
Auth 支持哪些平台?
Auth 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, darwin, win32)。
谁开发了 Auth?
由 Iván(@ivangdavila)开发并维护,当前版本 v1.3.0。
推荐 Skills