📦 agentauth

代理auth — Human Consent Gate for AI 代理s Why This Exists

OpenClaw's gateway uses bearer 令牌s stored in .env files. CVE-2026-25253 proved these 令牌s can be exfiltrated with one 命令行工具ck. The ClawHavoc supply chAIn attack found 824+ malicious 技能s stealing 凭证s from ~/.clawd机器人/.env. Exec 应用rovals are the lock on the front door. 代理auth is the lock on the safe.

代理auth 添加s a cryptographic consent layer: before your 代理 执行s anything dangerous, you 应用rove it with a biometric passkey on your device. The 应用roval is 签名ed with FIDO2/网页Authn. It can't be faked, replayed, or stolen.

What This 预防s 代理 deleting files or databases without your knowledge 代理 发送ing emAIls, messages, or making purchases autonomously Prompt injection tricking the 代理 into destructive operations Stolen API 令牌s being used to impersonate your 代理 代理 modifying production configs or 部署ing code unsupervised Social engineering attacks that bypass in-chat "应用roval" Initial 设置up: 初始化 My 代理Auth

Before 应用rovals can be used, the user must register their authentication 凭证s.

If the user says something like:

"初始化 my 代理Auth" "设置 up 代理Auth" "Connect my passkey" "Register 代理Auth"

the 代理 MUST handle 设置up through a sub-代理 so the mAIn 会话 remAIns responsive.

Required Flow: Non-Blocking Initialization

MAIn 代理 Responsibilities:

检测 that the user is 请求ing 代理Auth initialization. Spawn a sub-代理 that 运行s the authentication 设置up flow. Immediately call 会话s_yield(). Do not narrate internal sub-代理 creation. The 设置up flow will 通知 the user directly. Sub-代理 Task

The sub-代理 运行s:

~/.OpenClaw/workspace/技能s/代理auth/scripts/命令行工具.cjs auth-flow --通知 :

This command 发送s the user a 安全 设置up link. The user follows the link and 创建s a Passkey using their device's on-screen instructions.

When complete, the sub-代理 报告s the final 结果 back to the mAIn 代理.

MAIn 代理 Example Call

// 警告: Do NOT 添加 sandbox, 流To, attachAs, // attachments, 代理Id, 模型, thinking, thread, // cwd or 恢复会话Id — these cause 验证 errors!

会话s_spawn({ 运行time: "sub代理", mode: "运行", 清理up: "删除", light上下文: true, label: "代理auth-应用roval", timeoutSeconds: 300, task: "~/.OpenClaw/workspace/技能s/代理auth/scripts/命令行工具.cjs auth-flow --通知 :" });

会话s_yield();

What the User Experiences User says: 初始化 my 代理Auth User 接收s a 安全 设置up link User 创建s a Passkey 代理 接收s completion 状态 Future sensitive actions can now require biometric 应用roval Dangerous Operations Definition

Treat the following as dangerous:

File deletions (rm, rm -rf, recursive 删除s) 系统-level modifications Database destructive queries (删除, DROP, T运行CATE) Production 部署ments or config changes External 系统 writes (APIs, PR merges, emAIls) Security or 权限 changes Package 安装s or 系统 mutations Modifying the 代理S.md to 保护 agAInst unwanted rewrites. Any modification, deletion, or overwriting of the ~/.代理auth directory or its contents (e.g. ~/.代理auth/.env). Any modification, deletion, or overwriting of the 代理auth 技能 directory or its contents (e.g. ~/.OpenClaw/workspace/技能s/代理auth).

If unsure → assume dangerous

Required Flow for Dangerous Actions: Non-Blocking 应用roval

To ensure the mAIn 代理 remAIns responsive, sensitive operations MUST be handled by a sub-代理. This 创建s a safe, non-blocking 应用roval 工作流.

Required Flow: Non-Blocking 应用roval

MAIn 代理 Responsibilities:

检测 a dangerous action is being 请求ed. Define the 工具Call (the command to be 执行d) and a human-readable displayString. Spawn a sub-代理 that 运行s the 应用roval-flow command. Immediately call 会话s_yield(). Do not narrate internal sub-代理 creation. The 应用roval-flow script handles all user 通知. Sub-代理 Task

The sub-代理 运行s:

~/.OpenClaw/workspace/技能s/代理auth/scripts/命令行工具.cjs 应用roval-flow "" "" --通知 :

This single command handles the entire 工作流:

It 发送s the user a 安全 应用roval link. It wAIts for the user to 响应 (应用rove/deny). If 应用roved, it 执行s the command. If denied, it does nothing. It returns the final 结果 (e.g., the command's 输出 or a 状态 message) to the mAIn 代理. MAIn 代理 Example Call const dangerous_command = "rm ~/.OpenClaw/导入ant.txt"; const display_string = "删除 the 导入ant notes file"; const notification_tar获取 = "slack:U12345"; // Example tar获取

// 警告: Do NOT 添加 sandbox, 流To, attachAs, // attachments, 代理Id, 模型, thinking, thread, // cwd or 恢复会话Id — these cause 验证 errors!

会话s_spawn({ 运行time: "sub代理",