← 返回 Skills 市场
219
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install mcp-oauth
功能描述
Add OAuth 2.0 PKCE authentication to a remote MCP server. Use this skill whenever the user wants to add authentication to an MCP server, protect MCP tools wi...
安全使用建议
This skill appears to implement an OAuth PKCE flow for MCP servers, but the package metadata omits the real runtime requirements. Before installing or using it, ask the author (or require the skill to document) the exact environment/config needed: - Which env vars are required (e.g., NEXT_PUBLIC_SITE_URL, REDIS_URL, upstream provider client_id and client_secret if any)? - What npm packages must be installed (mcp-handler, Next.js dependencies)? - Where are tokens/sessions stored and how should they be secured (Redis config, TLS, access controls)? - Confirm the intended redirect_uri whitelist and whether 'none' auth on token endpoint is acceptable for your upstream provider. Also: do not deploy this to production until you verify TLS is enforced, secrets are stored in a secure vault, and the Redis instance is access-controlled. If the author provides a clear list of required env vars, dependency list, and secure deployment instructions, many of the concerns above would be resolved.
功能分析
Type: OpenClaw Skill
Name: mcp-oauth
Version: 1.0.0
The skill provides a legitimate and well-structured template for implementing OAuth 2.0 PKCE authentication in Model Context Protocol (MCP) servers. It includes standard implementation patterns for discovery, dynamic client registration, and token exchange using Next.js API routes and Redis for session storage. No malicious code, data exfiltration, or harmful prompt injection attempts were found in SKILL.md or the associated logic.
能力评估
Purpose & Capability
The name/description claim to add OAuth PKCE to an MCP server and the instructions implement that. However the SKILL.md references Redis, Next.js route files, the mcp-handler library, and runtime env vars (e.g., NEXT_PUBLIC_SITE_URL) and implicitly expects upstream OAuth client IDs/secrets or provider metadata. The registry metadata lists no required env vars, binaries, or dependencies, which is inconsistent with the implementation work the instructions describe.
Instruction Scope
The runtime instructions tell the implementer/agent to create endpoints that store sessions and tokens in Redis, perform dynamic client registration, handle PKCE flows, and perform redirects to upstream OAuth providers. The SKILL.md reads environment variables (NEXT_PUBLIC_SITE_URL and uses an undeclared redis object) and assumes network calls to third-party OAuth providers. It does not explicitly list or require the Redis connection string, upstream client credentials, or other sensitive config—so the instruction scope accesses and handles sensitive data without declaring or justifying the required secrets or configuration steps.
Install Mechanism
No install spec and no code files beyond SKILL.md and evals.json: this is instruction-only, so nothing will be automatically downloaded or executed by the installer. That's the lowest install risk.
Credentials
The manifest declares no required environment variables or credentials, but the instructions clearly rely on runtime configuration (site URL, Redis connection, likely provider client IDs/secrets, possibly callback URLs). That absence is a red flag: code that manages OAuth tokens and sessions normally needs secrets and secure storage; the skill neither declares nor explains them, so required privileges and secrets are under-specified and could be misapplied.
Persistence & Privilege
always is false, the skill is user-invocable and can be invoked autonomously (the platform default). The skill doesn't request permanent agent-wide privileges or attempt to modify other skills or system-wide configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install mcp-oauth - 安装完成后,直接呼叫该 Skill 的名称或使用
/mcp-oauth触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
- Initial release of mcp-oauth, providing OAuth 2.0 PKCE authentication for remote MCP servers.
- Implements OAuth discovery, dynamic client registration, authorization endpoint, token exchange, and refresh flows as per MCP authorization spec.
- Includes code samples for Next.js server routes to enable:
- Standards-based OAuth discovery and protected resource metadata endpoints.
- Dynamic client registration (RFC 7591).
- Secure authorization and callback logic for integrating with upstream OAuth services.
- Protects MCP endpoints and tools with user-level token-based access.
- Designed to trigger for any user request regarding adding authentication or OAuth to an MCP server.
元数据
常见问题
MCP OAuth 是什么?
Add OAuth 2.0 PKCE authentication to a remote MCP server. Use this skill whenever the user wants to add authentication to an MCP server, protect MCP tools wi... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 219 次。
如何安装 MCP OAuth?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install mcp-oauth」即可一键安装,无需额外配置。
MCP OAuth 是免费的吗?
是的,MCP OAuth 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
MCP OAuth 支持哪些平台?
MCP OAuth 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 MCP OAuth?
由 Luca(@lucaperret)开发并维护,当前版本 v1.0.0。
推荐 Skills