📦 TapAuth — OAuth令牌管家

v1.0.3

一键为OpenClaw智能体签发OAuth令牌，秒级接入Google Calendar、Gmail、GitHub、Slack、Linear、Notion、Vercel、Sentry、Asana、Discord、Apify等主流服务，零配置完成授权，自动续期，安全托管，让多平台API调用像本地函数一样简单。

0· 649·2 当前·2 累计

by @schwartzdev (Jonah Schwartz)

API工具安全云服务智能体自动化

下载技能包

最后更新

2026/4/17

安全扫描

VirusTotal

无害

查看报告

OpenClaw

安全

high confidence

NULL

评估建议

TapAuth appears to do what it claims: create browser approval URLs, cache grant credentials locally, and let OpenClaw run the bundled script to fetch tokens into an in-memory secrets snapshot. Before installing, verify you trust the tapauth.ai service (the script contacts https://tapauth.ai by default) and are comfortable with the gateway running the included script as an exec secret provider. Note that the script saves grant credentials (grant ID and grant secret) to TAPAUTH_HOME with restricti...

详细分析 ▾

✓ 用途与能力

The skill name/description (OAuth token provider for many services) matches the files and runtime instructions. It requires curl and bash (documented) and includes a script that calls tapauth.ai to create grants and retrieve tokens. There are no unrelated env vars, binaries, or external downloads requested.

ℹ 指令范围

SKILL.md explicitly confines the agent to creating grants and configuring OpenClaw's exec secrets provider rather than directly capturing tokens. It instructs editing ~/.openclaw/openclaw.json and running openclaw secrets reload so the gateway runs the script with --token. This is expected for an exec-provider integration, but it does require granting the gateway the ability to run the bundled script and to pass TAPAUTH_HOME/HOME into the provider environment.

✓ 安装机制

No install spec or remote downloads; the skill is instruction-first with local bash scripts included. No extract-from-URL or package registry installs are present. Risk from install mechanism is low.

ℹ 凭证需求

The skill declares no required env vars but the runtime requires setting TAPAUTH_HOME (or relying on default) and passing HOME into the exec provider; this is reasonable. The script caches grant credentials (TAPAUTH_GRANT_ID and TAPAUTH_GRANT_SECRET) to TAPAUTH_HOME with 600 permissions — bearer tokens are not written to disk per the code. Be aware the grant secret is a credential stored locally; SKILL.md's ‘no API key needed’ statement is accurate (the grant is created automatically), but it is still a secret persisted on disk.

✓ 持久化与权限

always is false and model invocation is not disabled. The skill instructs adding an exec provider to openclaw.json so the gateway will run the included script at startup/reload to resolve tokens — this is normal for a secrets exec provider. The skill does not request permanent platform-wide privileges beyond that standard integration.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv1.0.32026/2/25

NULL

● 无害

安装命令

点击复制

官方npx clawhub@latest install tapauth

镜像加速npx clawhub@latest install tapauth --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库