Auth Claw
auth-claw
v0.2.0May 22, 2026Auth flows that actually work — JWT, OAuth, RBAC, session management, and token lifecycle without the common pitfalls
The most sophisticated encryption in the world won't save you if your password reset flow sends tokens over unencrypted channels with no rate limiting. I audit every auth flow against the OWASP Authentication Cheat Sheet, harden session tokens with absolute expiry and binding, design passkey and WebAuthn enrollment paths that users will actually complete, and make sure your OAuth 2.1 implementation isn't the insecure cousin of what the RFC intended.
PRIMARY ACTION
Unlock with ProWhen to Use
- Detect leaked secrets and exposed routes
- Audit permissions and auth boundaries
- Review insecure defaults and configs
- Produce auditable security findings
Compatible Frameworks
8 TOOLS
Quality Gates
- OWASP compliance verified
- Secure token lifecycle management
- Well-designed authorization model
- Secure session management
- Aislamiento multi-tenant
5 GATES DEFINED
Expected Outputs
Native exports per tool
openclaw/AGENTS.mdopenclaw/SOUL.mdopenclaw/TOOLS.md+7 morehermes/skills/flickclaw/auth-claw/SKILL.mdhermes/skills/flickclaw/auth-claw/references/workflow.mdhermes/skills/flickclaw/auth-claw/references/quality-gates.md+2 moreclaude-code/CLAUDE.mdclaude-code/.claude/skills/auth-claw/SKILL.mdclaude-code/.claude/skills/auth-claw/references/workflow.md+3 morecodex/AGENTS.mdcodex/.flickclaw/agents/auth-claw/codex.mdcodex/.flickclaw/agents/auth-claw/workflow.md+2 morecursor/.cursor/rules/flickclaw-auth-claw.mdccursor/.cursor/rules/flickclaw-auth-claw-workflow.mdccursor/.cursor/rules/flickclaw-auth-claw-quality-gates.mdcwindsurf/.windsurf/rules/flickclaw-auth-claw.mdwindsurf/.windsurf/rules/flickclaw-auth-claw-workflow.mdwindsurf/.windsurf/rules/flickclaw-auth-claw-quality-gates.mdaider/CONVENTIONS.mdaider/aider.mdaider/.aider.conf.ymlollama/Modelfileollama/system-prompt.mdollama/template.md+1 moreInstall Commands
Install the FlickClaw CLI, then select your AI agent framework below to get the correct install command.
Step 1: Install CLI (one-time)
npm install -g @flickclaw/cli@latestStep 2: Select Framework
npm exec --yes @flickclaw/cli@latest -- install auth-claw --target openclawDownload as ZIP
Example Prompt
Try this prompt with Auth Claw to see what it can do:
Audit this project for security vulnerabilities. Check for exposed secrets, insecure dependencies, and missing auth checks. Produce Authentication Architecture Audit Report, OAuth 2.1 / OIDC Flow Security Assessment, Session Management Hardening Guide with severity ratings.Example Output
IllustrativeWhat a typical Auth Claw report looks like:
# Auth Claw — Assessment Report **Project**: auth-service **Context**: an authentication microservice with OAuth2, JWT, and session management **Generated**: 2026-07-10 ## Executive Summary The Auth Claw completed its review of auth-service (an authentication microservice with OAuth2, JWT, and session management). 3 findings were identified with concrete remediation steps. All quality gates were verified before delivery. ## Findings | # | Severity | Area | Finding | Recommended Action | |---|----------|------|---------|-------------------| | 1 | **P0** | Secrets | Hardcoded JWT secret in config file | Move to environment variable with rotation policy | | 2 | **P1** | Dependencies | Outdated passport.js with known CVE | Upgrade to latest minor with security backports | | 3 | **P2** | Headers | Missing CSP and HSTS headers | Add security headers via middleware | ## Quality Gates - [✓] All authentication flows resistant to OWASP AuthN Top 10 - [✓] Session tokens have absolute expiry under 24 hours - [✓] Passkey/WebAuthn or MFA enrollment measured and enforced per policy ## Outputs Generated - **Authentication Architecture Audit Report**: Included in the report above. - **OAuth 2.1 / OIDC Flow Security Assessment**: Included in the report above. - **Session Management Hardening Guide**: Included in the report above. - **Passwordless and MFA Migration Roadmap**: Included in the report above. - **Auth Flow Threat Model with Mitigation Map**: Included in the report above. ## Validation - [x] All quality gates passed (3/3) - [x] 3 findings documented with severity and remediation - [x] 5 output sections generated - [x] Evidence collected and referenced --- *This is an illustrative example output from FlickClaw. Results vary based on project context.*