← 返回 Skills 市场
Oauth Security Checker
作者
snipercat69
· GitHub ↗
· v1.4.0
· MIT-0
102
总下载
0
收藏
0
当前安装
4
版本数
在 OpenClaw 中安装
/install edgeiq-oauth-security-checker
功能描述
Detects OAuth 2.0 security flaws in web apps by checking redirect URIs, state parameter, PKCE, token endpoint, scopes, and authorization server details.
使用说明 (SKILL.md)
OAuth Security Checker
Skill Name: oauth-security-checker
Version: 1.0.0
Category: Security / Vulnerability Assessment
Price: Lifetime: $39 / Optional Monthly: $7/mo (includes all Pro features permanently)
Author: EdgeIQ Labs
OpenClaw Compatible: Yes — Python 3, pure stdlib, WSL + Linux
What It Does
Detects OAuth 2.0 misconfigurations, security flaws, and authorization issues in web applications. Checks redirect URI validation, token endpoint security, scope permissions, PKCE support, state parameter integrity, and more.
⚠️ Legal Notice: Only test OAuth integrations you own or have explicit written authorization to audit.
Features
- Redirect URI validation — tests for
localhost,null, and wildcard misconfigs - State parameter check — detects missing or weak CSRF protection
- PKCE support detection — identifies apps missing code challenge
- Token endpoint security — checks TLS, token format, expiration
- Scope analysis — flags overly broad permissions
- Implicit flow detection — warns about bearer token exposure
- Authorization server fingerprinting — identifies provider and version
- JSON export — structured results for reporting
Tier Comparison
| Feature | Free | Lifetime ($39) | Optional Monthly ($7/mo) |
|---|---|---|---|
| Redirect URI checks | ✅ (5 URIs) | ✅ (unlimited) | ✅ (unlimited) |
| State parameter test | ✅ | ✅ | ✅ |
| PKCE detection | ✅ | ✅ | ✅ |
| Token endpoint analysis | ✅ | ✅ | ✅ |
| Scope permission analysis | ✅ | ✅ | ✅ |
| Full OAuth provider fingerprint | ✅ | ✅ | ✅ |
| JSON export | ✅ | ✅ | ✅ |
Installation
cp -r /home/guy/.openclaw/workspace/apps/oauth-security-checker ~/.openclaw/skills/oauth-security-checker
Usage
Basic scan (free tier)
python3 oauth_checker.py --url "https://example.com/oauth/authorize?client_id=YOUR_ID&redirect_uri=https://example.com/callback&response_type=code&scope=read"
Pro scan with full analysis
[email protected] python3 oauth_checker.py \
--url "https://example.com/oauth/authorize?client_id=YOUR_ID&redirect_uri=https://example.com/callback&response_type=code&scope=read write" \
--pro
JSON report output
[email protected] python3 oauth_checker.py \
--url "https://example.com/oauth/authorize?client_id=YOUR_ID&redirect_uri=https://example.com/callback&response_type=code" \
--bundle --output oauth-report.json
As OpenClaw Discord Command
In #edgeiq-support channel:
!oauth https://example.com/oauth/authorize?client_id=YOUR_ID&redirect_uri=https://example.com/callback&response_type=code&scope=read
!oauth https://example.com/oauth/authorize?client_id=YOUR_ID --pro
Parameters
| Flag | Type | Default | Description |
|---|---|---|---|
--url |
string | — | Authorization URL with query params |
--pro |
flag | False | Enable Pro features |
--bundle |
flag | False | Enable Bundle features |
--output |
string | — | Write JSON report to file |
--timeout |
int | 10 | Request timeout (seconds) |
Output Example
=== OAuth Security Checker ===
Target: https://example.com/oauth/authorize
[1m[91m🔴 CRITICAL: Redirect URI allows localhost[0m
Pattern: https://localhost/callback
Risk: Attacker can intercept authorization codes
[1m[93m🟡 WARNING: State parameter not detected[0m
Risk: CSRF attack possible via authorization hijacking
[1m[92m✔ OK: PKCE is supported[0m
Challenge method: S256
[1m[92m✔ OK: Token endpoint requires TLS[0m
Version: TLS 1.2+
[1m[93m🟡 INFO: Scopes detected: read, write, admin[0m
Warning: 'admin' scope is overly broad
Threat Level: HIGH — 2 issues found
Pricing
Lifetime License: $39 — your tool forever, all features included permanently. Optional Monthly: $7/mo — for those who prefer recurring billing (cancel anytime). 👉 Buy Lifetime — $39 👉 Subscribe Monthly — $7/mo 👉 Subscribe Monthly — $7/mo
Pro Upgrade (deprecated)
All features now included in Lifetime purchase.
Support
Open a ticket in #edgeiq-support or email [email protected]
🔗 More from EdgeIQ Labs
edgeiqlabs.com — Security tools, OSINT utilities, and micro-SaaS products for developers and security professionals.
- 🛠️ Subdomain Hunter — Passive subdomain enumeration via Certificate Transparency
- 📸 Screenshot API — URL-to-screenshot API for developers
- 🔔 uptime.check — URL uptime monitoring with alerts
- 🛡️ headers.check — HTTP security headers analyzer
安全使用建议
This skill appears to implement the advertised OAuth checks, but several inconsistencies raise caution: (1) metadata claims no required env vars or config paths, yet the code reads environment variables (EDGEIQ_EMAIL, EDGEIQ_LICENSE_KEY) and a license file under ~/.edgeiq — the registry should declare this. (2) Licensing logic contains a hardcoded email that automatically grants 'bundle' access and multiple inconsistent purchase links/pricing across files, which reduces trust in provenance. (3) The SKILL.md suggests copying files from a local workspace and running the Python file, so verify the source before running. Before installing or running: review the two Python files yourself (you have them here); run in an isolated/sandbox environment if possible; don't export sensitive secrets or tokens into EDGEIQ_EMAIL/EDGEIQ_LICENSE_KEY; inspect network activity at runtime to ensure results aren't being exfiltrated to unexpected endpoints; and prefer acquiring tools from a trusted upstream repo or vendor (confirm the GitHub/source and owner). If you intend to use Pro features, confirm the payment links and licensing behavior directly with the author and avoid hardcoding real account credentials into environment variables the tool reads.
功能分析
Type: OpenClaw Skill
Name: edgeiq-oauth-security-checker
Version: 1.4.0
The skill bundle provides a functional OAuth 2.0 security scanner that checks for common misconfigurations like weak redirect URIs, missing PKCE, and CSRF vulnerabilities. The code in oauth_checker.py and edgeiq_licensing.py implements a local licensing system based on environment variables and local files, but it does not exfiltrate this data or perform any unauthorized network calls. No evidence of malicious intent, prompt injection, or data theft was found.
能力标签
能力评估
Purpose & Capability
The code (oauth_checker.py) implements the described OAuth checks (redirect URI, state, PKCE, scopes, response_type, token endpoint probing). That part is coherent with the skill's stated purpose.
Instruction Scope
The SKILL.md and code instruct the agent/user to set environment variables (EDGEIQ_EMAIL, EDGEIQ_LICENSE_KEY) and to copy files from a local ~/.openclaw/workspace path. The skill uses the user's home directory (~/.edgeiq/license.key and stripe_licenses.json) for license state. These config paths and env vars are not declared in the registry metadata (which lists no required env or config paths). The install instructions reference local paths rather than a standard package install.
Install Mechanism
No install spec is provided (instruction-only), and code appears to be pure Python stdlib. There is no remote download/install step declared in the registry metadata.
Credentials
Registry metadata declares no required environment variables, yet the code and SKILL.md rely on EDGEIQ_EMAIL and EDGEIQ_LICENSE_KEY for unlocking Pro/Bundle features and read/write ~/.edgeiq license files. Requesting an email env var to gate features is unexpected and not declared; the skill also implicitly requires file-system access to the user's home directory to read license state.
Persistence & Privilege
The skill persists licensing state under ~/.edgeiq (license.key and stripe_licenses.json). It does not request always:true or system-wide configuration changes, nor does it modify other skills, but the presence of local persistence was not declared in metadata and could surprise users.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install edgeiq-oauth-security-checker - 安装完成后,直接呼叫该 Skill 的名称或使用
/edgeiq-oauth-security-checker触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.4.0
v1.4.0: URGENT FIX — corrected Stripe Payment Link URLs
v1.3.0
v1.3.0: CRITICAL FIX — replaced placeholder Stripe URLs with real working Payment Link checkout URLs
v1.2.0
v1.2.0: Dual pricing — Lifetime as primary purchase option with optional monthly. Updated Stripe checkout URLs.
v1.0.0
Initial release: redirect URI validation, state parameter check, PKCE detection, scope analysis, implicit flow detection, authorization server probing.
元数据
常见问题
Oauth Security Checker 是什么?
Detects OAuth 2.0 security flaws in web apps by checking redirect URIs, state parameter, PKCE, token endpoint, scopes, and authorization server details. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 102 次。
如何安装 Oauth Security Checker?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install edgeiq-oauth-security-checker」即可一键安装,无需额外配置。
Oauth Security Checker 是免费的吗?
是的,Oauth Security Checker 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Oauth Security Checker 支持哪些平台?
Oauth Security Checker 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Oauth Security Checker?
由 snipercat69(@snipercat69)开发并维护,当前版本 v1.4.0。
推荐 Skills