Skip to content

Comments

Merge skills: replace skill.md with openbotauth.md#49

Open
hammadtq wants to merge 8 commits intomainfrom
feat/merge-skills
Open

Merge skills: replace skill.md with openbotauth.md#49
hammadtq wants to merge 8 commits intomainfrom
feat/merge-skills

Conversation

@hammadtq
Copy link
Contributor

@hammadtq hammadtq commented Feb 14, 2026

Summary

  • Copies clawauth SKILL.md to /skills/openbotauth.md with full rebrand
  • Updates JWKS endpoint from /agent-jwks/{id} to /jwks/{username}.json
  • Adds /auth/session fetch to get username after agent registration
  • Deletes old skill.md (replaced entirely by HTTP signing skill)
  • Updates robots.txt skill URL

Key Changes

Rebranding

  • clawauthopenbotauth throughout
  • Proxy file: /tmp/openbotauth-proxy.mjs
  • CA cert CN: OpenBotAuth Proxy CA

JWKS Endpoint Fix

The old /agent-jwks/{id} endpoint is deprecated (returns 410). Registration now:

  1. Creates agent via POST /agents
  2. Fetches /auth/session to get username
  3. Builds JWKS URL as /jwks/{username}.json

Test Plan

  • Build portal: pnpm build
  • Deploy and verify curl https://openbotauth.org/skill/openbotauth.md returns the skill
  • Test registration flow outputs correct JWKS URL
  • Verify no "clawauth" references remain

@hammadtq
Merge skills: replace skill.md with openbotauth.md
55b4864 
- Copy clawauth SKILL.md to /skills/openbotauth.md
- Rebrand all "clawauth" references to "openbotauth"
- Update JWKS endpoint from /agent-jwks/{id} to /jwks/{username}.json
- Add /auth/session fetch to get username after agent registration
- Delete old skill.md (payload signing, now replaced by HTTP signing)
- Update robots.txt skill URL to /skill/openbotauth.md
@hammadtq
Security: harden proxy against command injection & path traversal
383d486 
- Replace execSync(template) with execFileSync(cmd, args) to prevent shell injection
- Add strict hostname validation: RFC-compliant DNS regex + IP check
- Use SHA256 hash for temp filenames to prevent path traversal
- Validate host/port at CONNECT handler before processing
- Replace execSync('rm -f') with native unlinkSync()

Threat model: prompt injection → malicious URL → RCE
@hammadtq
Add security posture and runtime compatibility to skill
9e7fa3c 
- Add Compatibility Modes (Core CLI vs Browser)
- Add Token Handling Contract (registration-only, delete after)
- Add Token Safety Rules table
- Add Runtime Compatibility table
- Update Important Notes with token lifecycle warning

Makes skill safe for skills.sh distribution and runtime-agnostic.
@hammadtq
Make skill publish-ready for skills.sh
eabe142 
- Fix CLI tools claim: Node + curl for core, openssl for proxy
- Step 3b: write config.json, delete token after registration
- Add redirect: error to all token-bearing fetch calls
- Step 5: prefer open --headers for single-load demos
- Step C: add TLS trust note with --ignore-https-errors option

Token deletion is now behavior, not just a rule.
@hammadtq
Final polish: accuracy and expectations
a9ffcb4 
- Header: broader framing (not just browser sessions)
- Step 3b: add username guard to prevent undefined.json
- Step 4: remove unused SESSION_ID, update description
- Proxy: add CA security warning and protocol limitations
- Enterprise SSO: mark as TBD (endpoint not yet live)
@hammadtq
Add SDK references, strict verifier note, and IP mitigation to skill
7f2e4c7
@hammadtq
Remove duplicate intro, tighten strict verifier wording
3f4eed0
@hammadtq
Rename skill to SKILL.md for ClawHub/skills.sh compatibility
4d4f874
@runnerelectrode
Copy link
Contributor

runnerelectrode commented Feb 15, 2026

The skill signs requests but never reports activity back to OBA. The agent profile dashboard reads from POST /agent-activity, but nothing calls it — so "Recent Activity" stays empty.

The proxy should call POST /agent-activity after each forwarded request with the method, target URL, status code, and response time. That would populate the agent dashboard.

@runnerelectrode
Copy link
Contributor

runnerelectrode commented Feb 15, 2026

The current POST /agent-activity schema is HTTP-only:

{
  "agent_id": "uuid",
  "target_url": "https://...",
  "method": "GET",
  "status_code": 200,
  "response_time_ms": 150
}

But agents operate across Discord, Telegram, Slack, Claude co-work, GitHub, etc. — not just HTTP. A generic activity schema would cover all channels:

{
  "agent_id": "uuid",
  "channel": "discord",
  "action": "message.send",
  "target": "channel:123456789",
  "metadata": {
    "guild_id": "...",
    "message_length": 240
  },
  "timestamp": "2026-02-15T12:00:00Z"
}
  • channelhttp, discord, telegram, claude-cowork, slack, github
  • action — channel-specific action type (http.request, discord.message.send, github.pr.comment)
  • target — where the action was directed (URL, channel ID, repo, etc.)
  • metadata — channel-specific details (status code for HTTP, guild ID for Discord, etc.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hammadtq @runnerelectrode