← 返回 Skills 市场
TapAuth
作者
Jonah Schwartz
· GitHub ↗
· v1.0.3
· MIT-0
683
总下载
0
收藏
2
当前安装
13
版本数
在 OpenClaw 中安装
/install tapauth
功能描述
OAuth token provider for OpenClaw agents — Google Calendar, Gmail, GitHub, Slack, Linear, Notion, Vercel, Sentry, Asana, Discord, or Apify. Integrates with O...
安全使用建议
TapAuth appears to do what it claims: create browser approval URLs, cache grant credentials locally, and let OpenClaw run the bundled script to fetch tokens into an in-memory secrets snapshot. Before installing, verify you trust the tapauth.ai service (the script contacts https://tapauth.ai by default) and are comfortable with the gateway running the included script as an exec secret provider. Note that the script saves grant credentials (grant ID and grant secret) to TAPAUTH_HOME with restrictive permissions — those are sensitive and required for token retrieval. Do not set TAPAUTH_BASE_URL to an untrusted host (it can redirect the script to another server). Finally, follow the SKILL.md rules: don't invoke tapauth.sh --token directly in shell substitutions or curl commands; instead configure the exec provider so tokens are resolved by OpenClaw.
功能分析
Type: OpenClaw Skill
Name: tapauth
Version: 1.0.3
The TapAuth skill is a legitimate OAuth token broker designed to provide delegated access to various services (Google, GitHub, Slack, etc.) for OpenClaw agents. The core logic in `scripts/tapauth.sh` is well-implemented with security in mind, using a safe key-value parser to avoid 'eval' or 'source' and enforcing strict file permissions (600/700) for its local cache. The `SKILL.md` instructions follow security best practices by directing the AI agent to configure OpenClaw's internal secrets manager rather than handling raw tokens in shell commands, effectively reducing the risk of token leakage in logs or process lists.
能力标签
能力评估
Purpose & Capability
The skill name/description (OAuth token provider for many services) matches the files and runtime instructions. It requires curl and bash (documented) and includes a script that calls tapauth.ai to create grants and retrieve tokens. There are no unrelated env vars, binaries, or external downloads requested.
Instruction Scope
SKILL.md explicitly confines the agent to creating grants and configuring OpenClaw's exec secrets provider rather than directly capturing tokens. It instructs editing ~/.openclaw/openclaw.json and running openclaw secrets reload so the gateway runs the script with --token. This is expected for an exec-provider integration, but it does require granting the gateway the ability to run the bundled script and to pass TAPAUTH_HOME/HOME into the provider environment.
Install Mechanism
No install spec or remote downloads; the skill is instruction-first with local bash scripts included. No extract-from-URL or package registry installs are present. Risk from install mechanism is low.
Credentials
The skill declares no required env vars but the runtime requires setting TAPAUTH_HOME (or relying on default) and passing HOME into the exec provider; this is reasonable. The script caches grant credentials (TAPAUTH_GRANT_ID and TAPAUTH_GRANT_SECRET) to TAPAUTH_HOME with 600 permissions — bearer tokens are not written to disk per the code. Be aware the grant secret is a credential stored locally; SKILL.md's ‘no API key needed’ statement is accurate (the grant is created automatically), but it is still a secret persisted on disk.
Persistence & Privilege
always is false and model invocation is not disabled. The skill instructs adding an exec provider to openclaw.json so the gateway will run the included script at startup/reload to resolve tokens — this is normal for a secrets exec provider. The skill does not request permanent platform-wide privileges beyond that standard integration.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install tapauth - 安装完成后,直接呼叫该 Skill 的名称或使用
/tapauth触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.3
Cache-only credentials, expired-grant reauth, and OpenClaw packaging/docs updates
v2.0.3
Security hardening, safer grant reuse, and OpenClaw docs alignment
v2.0.2
Add Apify provider, OpenClaw references, Gmail reference
v2.0.1
feat: add --token flag for two-step approval flow; fix unbound variable crash; 5s polling interval
v2.0.0
v1.0.0: Removed google_sheets/google_docs providers. All providers now require explicit scopes. Added Discord provider with full scope support. Consolidated API under /api/v1/. Per-grant X25519 sealed box encryption.
v1.4.0
Updated provider coverage, improved SKILL.md documentation, updated tapauth.sh script
v1.3.0
Repo renamed from tapauth/tapauth-skill to tapauth/skill
v1.2.1
v1 CLI + OpenClaw secrets provider docs
v1.2.0
Added tapauth CLI script for JIT token fetching, v1 API endpoints (POST /api/v1/grants, GET /api/v1/token), Discord provider reference, updated all docs/blogs/skill to v1 patterns
v0.1.1
Add hCaptcha reality check, provider reference updates
v0.1.0
Synced from monorepo
v1.1.0
Fix domain to tapauth.ai, add all provider references (Asana, Slack, Discord, Dropbox, Figma, etc.)
v1.0.0
Initial publish: OAuth token broker skill for AI agents
元数据
常见问题
TapAuth 是什么?
OAuth token provider for OpenClaw agents — Google Calendar, Gmail, GitHub, Slack, Linear, Notion, Vercel, Sentry, Asana, Discord, or Apify. Integrates with O... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 683 次。
如何安装 TapAuth?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install tapauth」即可一键安装,无需额外配置。
TapAuth 是免费的吗?
是的,TapAuth 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
TapAuth 支持哪些平台?
TapAuth 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 TapAuth?
由 Jonah Schwartz(@schwartzdev)开发并维护,当前版本 v1.0.3。
推荐 Skills