← 返回 Skills 市场

OpenBotAuth

Name: OpenBotAuth
Author: hammadtq

作者 hammadtq · GitHub ↗ · v0.1.1

cross-platform ⚠ suspicious

1241

总下载

当前安装

版本数

在 OpenClaw 中安装

/install openbotauth

功能描述

Get a cryptographic identity for your AI agent. Generate Ed25519 keys, sign your work, prove who you are — across any platform.

安全使用建议

This skill largely does what it says (generate an Ed25519 keypair, store it locally, and register it with an OBA service), but before installing: 1) Confirm you have Node.js (v18+), curl and optionally openssl available — the SKILL.md requires them though the manifest does not declare them. 2) Verify the legitimacy of https://openbotauth.org and its token issuance flow before pasting any bearer token (the skill asks you to log in via GitHub and paste a token). 3) Understand that your private key will be stored unencrypted in ~/.config/openbotauth/key.json and a temporary token in ~/.config/openbotauth/token (the skill recommends deleting the token afterward) — protect those files and consider generating keys offline. 4) Prefer to run the provided node/curl commands locally yourself rather than pasting sensitive tokens into a chat window or allowing an autonomous agent to handle them. 5) Ask the publisher for source/homepage or a repository so you can audit the registration step and confirm the API endpoints used. If you cannot validate the remote service or the publisher, consider running the commands in a sandboxed environment or decline to install.

功能分析

Type: OpenClaw Skill Name: openbotauth Version: 0.1.1 The skill implements a cryptographic identity system for AI agents, including key generation, registration, and request signing. It is classified as suspicious due to the implementation of a local HTTPS Man-in-the-Middle (MITM) proxy within `/tmp/openbotauth-proxy.mjs`. This proxy generates a local Certificate Authority (`~/.config/openbotauth/ca/ca.key`) and per-domain certificates using `openssl` to intercept and sign HTTPS traffic. While the skill demonstrates strong security awareness through robust input validation (`isValidHostname`), use of `execFileSync` with array arguments to prevent shell injection, secure file permissions (`0o600`), and explicit warnings about the sensitive nature of the CA key and token handling (including token deletion after registration), the inherent high-risk capability of a local MITM proxy warrants a 'suspicious' classification. There is no evidence of malicious intent, but the powerful nature of the operations performed is significant.

能力评估

⚠ Purpose & Capability

The skill's stated purpose (create and register an Ed25519 identity and sign HTTP requests) matches the SKILL.md instructions (generate keys, register with an OBA API, store keys locally). However the metadata claims no required binaries while the runtime instructions explicitly require Node.js (v18+), curl and optionally openssl. That mismatch is an incoherence: an agent or integrator would need Node/curl to run the provided commands, yet the manifest declares none.

ℹ Instruction Scope

Instructions are focused on key generation, local storage (~/.config/openbotauth/key.json), and one-time registration using a user-provided token. They explicitly warn not to keep the bearer token in the browsing runtime and to delete the token after registration. The skill tells the user to paste a token obtained from an external site (https://openbotauth.org/token) and to save registration info to agent memory/notes. These actions are consistent with the stated goal, but they involve handling sensitive material (private key and bearer token) and instruct the agent to write secrets to disk and to agent memory — the user should confirm they are comfortable with that and ensure the agent's memory is protected.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code files, so nothing will be downloaded or written by an installation step. That reduces installer risk. The runtime still relies on local execution of Node/curl/openssl commands per SKILL.md.

✓ Credentials

The skill requests no environment variables or external credentials in the manifest. The runtime requires the user to supply a one-time OpenBotAuth bearer token (obtained through the external site) for registration and stores it temporarily under ~/.config/openbotauth/token. Requesting that token is proportional to the registration step, but the skill's manifest should have declared the runtime requirement for Node/curl/openssl and should explicitly warn about the sensitive nature of the token/private key.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or global agent settings. It writes files only under the user's home directory (~/.config/openbotauth) which is appropriate for identity material. The SKILL.md advises secure file permissions (0700/0600) and to delete the token after use.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install openbotauth
安装完成后，直接呼叫该 Skill 的名称或使用 /openbotauth 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.1

- Updated JWKS endpoint — changed from /agent-jwks/{id}.json to /jwks/{username}.json - Added Token Handling Contract — documents bearer token lifecycle (registration-only, delete after) - Added Compatibility Modes section — Core Mode (CLI) vs Browser Mode with security guidance - Added Token Safety Rules table — do/don't guidance for token handling - Added Runtime Compatibility table — support matrix for Claude Code, agent-browser, OpenClaw, CUA, skills.sh - Registration script hardened: - Added redirect: 'error' to prevent token leakage on redirects - Writes config.json with agent_id, username, jwksUrl - Deletes token after successful registration - Fetches /auth/session to resolve username for JWKS URL - Proxy security hardened: - Changed execSync to execFileSync (prevents command injection) - Added strict hostname validation regex - Added hash-based cert filenames (prevents path traversal) - Added port validation (1-65535) - Added Official Packages section — links to @openbotauth/verifier-client, registry-signer, bot-cli, proxy - Added strict verifier note — points to @openbotauth/bot-cli and openbotauth-demos/packages/signing-ts - Enterprise SSO section — rewritten as roadmap spec (no runnable code, marked "not yet implemented") - Proxy limitations — added IP hostname mitigation guidanc

v0.1.0

- Initial release of openbotauth skill for cryptographic identity management. - Enables Ed25519 keypair generation and management for AI agents. - Provides step-by-step setup: keypair generation, token retrieval, agent registration, public JWKS endpoint activation, and signing/verifying payloads. - Portable identity: sign and prove authenticity across multiple platforms using a single identity. - Security guidance included to protect private keys and tokens.

元数据

Slug openbotauth

版本 0.1.1

许可证 —

累计安装 2

当前安装数 2

历史版本数 2

常见问题

OpenBotAuth 是什么？

Get a cryptographic identity for your AI agent. Generate Ed25519 keys, sign your work, prove who you are — across any platform. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1241 次。

如何安装 OpenBotAuth？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install openbotauth」即可一键安装，无需额外配置。

OpenBotAuth 是免费的吗？

是的，OpenBotAuth 完全免费（开源免费），可自由下载、安装和使用。

OpenBotAuth 支持哪些平台？

OpenBotAuth 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 OpenBotAuth？

由 hammadtq（@hammadtq）开发并维护，当前版本 v0.1.1。