首页龙虾技能列表 › Account & Authentication — 账户认证

Account & Authentication — 账户认证

v1.0.1

账户和认证工具。

0· 238·0 当前·0 累计
by @d9m1n1c (D9m1n1c)·MIT-0
下载技能包
License
MIT-0
最后更新
2026/3/20
安全扫描
VirusTotal
无害
查看报告
OpenClaw
安全
high confidence
The skill is instruction-only and its requested environment access and runtime instructions are coherent with an account/authentication API integration.
评估建议
This skill appears internally consistent, but review these practical checks before installing: 1) Verify the API base URL (default: https://payment-api-dev.aiotnetwork.io) is a trusted endpoint for your use — consider overriding AIOT_API_BASE_URL for production to a verified domain and ensure HTTPS/TLS is enforced. 2) The variable labeled as a "primary credential" is just a URL; no secrets are requested by the skill, but the API itself will handle authentication (tokens/OTP) — ensure the agent r...
详细分析 ▾
用途与能力
The name/description (signup, login, session management, password reset, wallet linking) match the listed API endpoints and flows. All declared requirements (only AIOT_API_BASE_URL) are relevant to contacting the API. The only minor oddity is that the registry metadata marks the base URL as the "primary credential" even though a URL is not a secret credential; this appears to be a labeling choice rather than a functional mismatch.
指令范围
SKILL.md provides specific HTTP endpoint flows (send OTP, verify OTP, signup, login, refresh, etc.) and explicitly confines behavior to those flows. Instructions do not ask the agent to read local files or unrelated environment variables, nor to transmit data to endpoints outside the documented API base URL. The guidance about never logging or persisting secrets is appropriate, though an instruction-only skill cannot technically enforce runtime logging policies.
安装机制
There is no install spec and no code files — the skill is instruction-only which minimizes on-disk risk. Nothing is downloaded or executed automatically.
凭证需求
The skill only requires AIOT_API_BASE_URL, which is proportionate to an API client. Note: the registry marks that variable as a "primary credential" even though it is just a URL (not a secret). There are no requests for unrelated secrets or credentials.
持久化与权限
always:false and no install-time persistence are present. The skill does not request permanent system presence or attempt to modify other skills or system configuration. The default ability for the agent to invoke the skill autonomously is normal and not by itself a concern.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.12026/3/11

- Added environment configuration details, including use of the AIOT_API_BASE_URL variable and its default value. - Updated OTP flow: changed signup OTP type from "signup" to "registration" in docs and examples. - Listed all valid OTP types and clarified their use in flows. - No changes to API endpoints or tool functionality. - Improved instructions for local and default API base URL usage.

● 无害

安装命令 点击复制

官方npx clawhub@latest install aiotnetwork-account-auth
镜像加速npx clawhub@latest install aiotnetwork-account-auth --registry https://cn.clawhub-mirror.com

技能文档

Use this skill when the user needs to sign up, log in, manage sessions, reset their password, or link a Web3 wallet.

Configuration

The default API base URL is https://payment-api-dev.aiotnetwork.io. All endpoints are relative to this URL.

To override (e.g. for local development):

export AIOT_API_BASE_URL="http://localhost:8080"

If AIOT_API_BASE_URL is not set, use https://payment-api-dev.aiotnetwork.io as the base for all requests.

可用 Tools

  • send_otp — 发送 one-时间 密码 到 email address | POST /api/v1/auth/otp/发送
  • verify_otp — 验证 OTP code 和 接收 verification 令牌 | POST /api/v1/auth/otp/验证
  • otp_rate_limit_status — Check OTP rate limit status 对于 current 会话 | 获取 /api/v1/auth/otp/status
  • signup — 创建 新的 账户 带有 email, 密码, 和 OTP verification 令牌 | POST /api/v1/auth/signup
  • 登录 — 登录 带有 email 和 密码 | POST /api/v1/auth/登录
  • login_with_wallet — 登录 由 signing nonce 带有 Web3 wallet | POST /api/v1/auth/wallet
  • get_wallet_nonce — 获取 nonce 对于 wallet-based 登录 | 获取 /api/v1/auth/wallet/nonce
  • biometric_login — 登录 使用 biometric credentials | POST /api/v1/auth/biometric
  • refresh_token — 刷新 已过期 access 令牌 使用 刷新 令牌 | POST /api/v1/auth/刷新
  • reset_password — 重置 账户 密码 使用 OTP verification | POST /api/v1/auth/重置-密码
  • unlock_account — Unlock locked 账户 | POST /api/v1/auth/unlock
  • get_account — 获取 current 账户 information | 获取 /api/v1/账户 | Requires auth
  • update_password — 更改 账户 密码 | PUT /api/v1/账户/密码 | Requires auth
  • link_wallet — 链接 Web3 wallet 到 账户 | PUT /api/v1/账户/wallet | Requires auth
  • unlink_wallet — 移除 linked Web3 wallet | 删除 /api/v1/账户/wallet | Requires auth
  • 登出 — 登出 current 会话 | POST /api/v1/账户/登出 | Requires auth
  • logout_all — 登出 从 所有 sessions | POST /api/v1/账户/登出-所有 | Requires auth

Recommended Flows

签名 Up

Create a new account via email and OTP

  • 发送 OTP: POST /api/v1/auth/otp/发送 带有 {email, 类型: "registration"}
  • 验证 OTP: POST /api/v1/auth/otp/验证 带有 {email, code, 类型: "registration"} — returns verification_token
  • 签名 up: POST /api/v1/auth/signup 带有 {email, 密码, verification_token}

登录

Authenticate and receive access/refresh tokens

  • 登录: POST /api/v1/auth/登录 带有 {email, 密码} — returns access_token, refresh_token
  • 使用 access_token 作为 Bearer 令牌 在...中 Authorization 页头 对于 所有 authenticated requests
  • 当...时 access_token expires, 刷新: POST /api/v1/auth/刷新 带有 {refresh_token}

Rules

  • OTP 必填 对于 signup 和 密码 重置 — always 发送 然后 验证 之前 proceeding
  • Access tokens expire 之后 1 hour — 使用 refresh_token 到 获取 新的 one
  • 之后 5 失败 登录 attempts 账户 locked — 使用 /auth/unlock 到 recover
  • Never store 或 log passwords — 使用 them transiently 仅

Agent Guidance

Follow these instructions when executing this skill:

  • Always 关注 documented flow order. 做 不 skip steps.
  • 如果 tool requires authentication, 验证 会话 有 有效 bearer 令牌 之前 calling .
  • 如果 tool requires 事务 置顶, ask 用户 对于 fresh 每个 时间. Never 缓存 或 log PINs.
  • Never expose, log, 或 persist secrets (passwords, tokens, 满 card numbers, CVVs).
  • 如果 用户 requests operation outside skill's scope, decline 和 suggest appropriate skill.
  • 如果 step fails, check 错误 和 关注 recovery guidance 下面 之前 retrying.
  • 到 签名 up 新的 用户: 第一个 call send_otp 带有 类型 "registration", 然后 verify_otp 带有 类型 "registration", 然后 signup. Never skip OTP verification.
  • 有效 OTP types: "registration" (signup), "forget_password", "account_unlock", "pin_setup", "pin_reset". Always 使用 正确 类型 对于 operation.
  • 到 重置 密码: 第一个 call send_otp 带有 类型 "forget_password", 然后 verify_otp, 然后 reset_password 带有 verification 令牌.
  • 所有 authenticated endpoints require bearer 令牌 obtained 从 登录login_with_wallet.
  • 当...时 access 令牌 expires (1 hour TTL), call refresh_token 带有 刷新 令牌. 做 不 ask 用户 到 log 在...中 again.
  • Never log, store, 或 repeat 用户's 密码 back 到 them.
  • 如果 登录 fails 5 乘以 consecutively, 账户 locks. 到 unlock: call send_otp 带有 类型 "account_unlock", 然后 verify_otp, 然后 unlock_account 带有 verification 令牌.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务