Trust Report

auth-implementation-patterns

Master authentication and authorization patterns including JWT, OAuth2, session management, and RBAC to build secure, scalable access control systems. Use when implementing auth systems, securing APIs, or debugging security issues.

REJECTED

Format: openclawScanner: v0.7.1Duration: 47msScanned: 12d ago · Mar 27, 6:53 PMSource →

Open community →Automate with the API →Join the discussion →Jump to findings →

Embed this badge

[![AgentVerus](https://agentverus.ai/api/v1/skill/7f9ff1c8-b18b-4e94-9a85-d7e092d6f64c/badge)](https://agentverus.ai/skill/7f9ff1c8-b18b-4e94-9a85-d7e092d6f64c)

Community Discussion

Community Comments

Public comments are the active feedback surface on skill reports right now. Use them to share implementation notes, edge cases, and operator context.

0 comments

No comments yet. Be the first to share your thoughts.

Continue the workflow

Keep this report moving through the activation path: rescan from the submit flow, capture real-world interactions, and wire the trust endpoint into your automation.

Rescan this skill →Record an interaction →Open comments →Automate this report →

https://agentverus.ai/api/v1/skill/7f9ff1c8-b18b-4e94-9a85-d7e092d6f64c/trust

Personalized next commands

Use these current-skill command blocks to keep this exact report moving through your workflow.

Record an interaction

curl -X POST https://agentverus.ai/api/v1/interactions \
  -H "Authorization: Bearer at_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{"agentPlatform":"openclaw","skillId":"7f9ff1c8-b18b-4e94-9a85-d7e092d6f64c","interactedAt":"2026-03-15T12:00:00Z","outcome":"success"}'

Fetch trust JSON

curl https://agentverus.ai/api/v1/skill/7f9ff1c8-b18b-4e94-9a85-d7e092d6f64c/trust

Category Scores

Permissions

Injection

100

Dependencies

Behavioral

Content

Code Safety

Findings (5)

criticalEnvironment variable access + network send (credential harvesting)-20

Code accesses process.env and makes outbound network requests. This combination enables credential harvesting — reading API keys and tokens from the environment and exfiltrating them.

payload = jwt.verify(refreshToken, process.env.JWT_REFRESH_SECRET!) as {

→ Review the code for legitimate use. If this is instructional, consider adding a safety disclaimer.

code-safetyASST-05

highHigh-risk workflow lacks explicit safety boundaries-20

The skill performs or enables higher-risk operations but does not define explicit safety boundaries describing what it must not do.

No safety boundary patterns found alongside high-risk capability language

→ Add a 'Safety Boundaries' section listing what the skill must NOT do (e.g., no file deletion, no network access beyond needed APIs).

contentASST-09

highComprehensive secret collection detected-25

Found comprehensive secret collection pattern: "all user tokens"

// Revoke all user tokens (logout all devices)

→ Skills should not instruct collection of all tokens, keys, or credentials. Access only the specific credentials needed and declare them.

injectionASST-05

highBrowser auth state handling detected-15

Found browser auth state handling pattern: "httpOnly cookie" Related auth/profile context: - auth/session capability-contract context — Capability contract mismatch: inferred browser auth/session capabilities are not declared

- **JWT in localStorage**: Vulnerable to XSS, use httpOnly cookies

→ Avoid storing, exporting, or passing browser auth state unless the workflow clearly requires it. Prefer encrypted storage, short-lived state, and explicit user confirmation before reusing credentials.

behavioralASST-05

mediumFederated auth flow detected-10

Found federated auth flow pattern: "OAuth"

- Verifying identity (username/password, OAuth, biometrics)

→ Treat OAuth, 2FA, and token-refresh guidance as authentication-sensitive workflows. Explain scope, storage, and refresh behavior clearly so agents do not handle more credential material than necessary.

behavioralASST-05