← 返回 Skills 市场
693
总下载
2
收藏
3
当前安装
1
版本数
在 OpenClaw 中安装
/install authorization
功能描述
Build secure access control with RBAC, ABAC, permissions, policies, and scope-based authorization.
使用说明 (SKILL.md)
When to Use
User needs to control what actions users can perform. Agent handles permission design, role hierarchies, policy evaluation, and access control middleware.
Quick Reference
| Topic | File |
|---|---|
| RBAC vs ABAC comparison | models.md |
| Implementation patterns | patterns.md |
| Framework middleware | middleware.md |
Core Rules
1. Auth ≠ Authorization
- Authentication: Who you are (login, OAuth, tokens)
- Authorization: What you can do (permissions, roles, policies)
- Never mix concerns — auth happens BEFORE authorization
2. Principle of Least Privilege
- Default deny — explicit grants only
- Users get minimum permissions for their job
- Audit permissions periodically (revoke unused)
- Temporary elevation over permanent grants
3. Choose the Right Model
| Model | Best For | Complexity |
|---|---|---|
| ACL | Simple resource ownership | Low |
| RBAC | Organizational hierarchies | Medium |
| ABAC | Dynamic context-based rules | High |
| ReBAC | Social graphs, sharing | High |
Start simple → evolve when needed.
4. Role Design Patterns
- Roles represent jobs, not permissions
- Max 3 inheritance levels (admin → manager → user)
- Avoid role explosion — combine with ABAC for edge cases
- Document role definitions (what can this role DO?)
5. Permission Naming
resource:action:scope
documents:write:own ← Can edit own documents
documents:write:team ← Can edit team documents
documents:delete:all ← Can delete any document
Consistent naming prevents ambiguity.
6. Policy Evaluation Order
- Explicit deny → always wins
- Explicit allow → checked second
- No match → default deny
- Log all denials for debugging
7. Never Hardcode
// ❌ Bad — hardcoded role check
if (user.role === 'admin') { ... }
// ✅ Good — permission check
if (can(user, 'settings:update')) { ... }
Roles change. Permissions are stable.
Common Traps
- Checking roles instead of permissions → brittle when roles change
- OR logic in permissions → "can edit OR is admin" creates backdoors
- Caching permissions too long → stale grants after role changes
- Frontend-only checks → always verify server-side
- God roles → split "admin" into specific permission sets
- Circular inheritance → A inherits B inherits A crashes system
Security & Privacy
Data that stays local:
- All documentation and patterns are reference material
- No data collection or external requests
This skill does NOT:
- Access your codebase automatically
- Make network requests
- Store any user data
Feedback
- If useful:
clawhub star authorization - Stay updated:
clawhub sync
安全使用建议
This skill is documentation and implementation examples for building authorization systems — it does not ask for credentials, perform installs, or make network requests. It's safe to read and use as guidance. When you copy examples into your code, take care to: (1) supply secrets (JWT secret, Redis credentials) from secure environment/storage, not hardcode them; (2) audit and protect any authorization audit logs (they may contain IPs or user agents); and (3) avoid running unfamiliar external commands like 'clawhub sync' without understanding what they do. If you plan to let an autonomous agent modify your codebase using this guidance, ensure the agent has only the minimal file access necessary and does not have access to other credentials or systems.
功能分析
Type: OpenClaw Skill
Name: authorization
Version: 1.0.0
This skill bundle is benign. It consists entirely of documentation files (`.md`) and metadata (`_meta.json`) providing educational content and best practices for implementing authorization. The `SKILL.md` explicitly states that the skill does not access user code, make network requests, or store user data, and its metadata declares no external binaries are required. There is no executable code, no shell commands, no prompt injection attempts, and no evidence of malicious intent or risky capabilities.
能力评估
Purpose & Capability
Name/description (authorization, RBAC/ABAC patterns, middleware) matches the content: guidance, code snippets, and design patterns. The skill requires no binaries, env vars, or installs, which is proportional for a reference/authoring skill.
Instruction Scope
SKILL.md and the included files are reference material and implementation examples (middleware.md, models.md, patterns.md). They do not instruct the agent to read local files, access environment variables, or make network requests at runtime. Some examples mention secrets (jwt secret) and logging request context; these are illustrative for implementers, not commands for the agent to exfiltrate data.
Install Mechanism
No install specification is present (instruction-only), so nothing will be downloaded or written to disk—lowest installation risk.
Credentials
The skill declares no required environment variables or credentials. Example code references typical implementation artifacts (jwt secret, redis), but the skill doesn't request them. This is proportionate for a design/reference skill.
Persistence & Privilege
always:false and normal model invocation settings. The skill does not request persistent presence or attempt to modify other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install authorization - 安装完成后,直接呼叫该 Skill 的名称或使用
/authorization触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release
元数据
常见问题
Authorization 是什么?
Build secure access control with RBAC, ABAC, permissions, policies, and scope-based authorization. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 693 次。
如何安装 Authorization?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install authorization」即可一键安装,无需额外配置。
Authorization 是免费的吗?
是的,Authorization 完全免费(开源免费),可自由下载、安装和使用。
Authorization 支持哪些平台?
Authorization 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux, darwin, win32)。
谁开发了 Authorization?
由 Iván(@ivangdavila)开发并维护,当前版本 v1.0.0。
推荐 Skills