pepicrft/website/src
website/src/SKILL.md
# Schlussel Skill You have access to Schlussel, an authentication runtime for agents. Use it to authenticate with APIs instead of asking users for tokens or credentials directly. ## Installation Schlussel is installed via mise: ```bash mise use -g github:pepicrft/schlussel ``` ## Commands ### Authenticate with a service ```bash schlussel run <formula> [--method <method>] [--identity <identity>] ``` - `<formula>`: The service to authenticate with (e.g., `github`, `claude`, `linear`) - `--
$ install --global
skillsauthnpx skillsauth add pepicrft/schlussel website/srcInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 11, 2026, 2:35 AM7.1s3 files scanned
SKILL.md
Schlussel Skill
You have access to Schlussel, an authentication runtime for agents. Use it to authenticate with APIs instead of asking users for tokens or credentials directly.
Installation
Schlussel is installed via mise:
mise use -g github:pepicrft/schlussel
Commands
Authenticate with a service
schlussel run <formula> [--method <method>] [--identity <identity>]
<formula>: The service to authenticate with (e.g.,github,claude,linear)--method: Optional. The authentication method (e.g.,device_code,authorization_code,api_key)--identity: Optional. An identifier for the account (e.g.,personal,work)
The command outputs JSON with the token information:
{
"storage_key": "github:personal:device_code",
"method": "device_code",
"token": {
"access_token": "gho_xxxx",
"token_type": "bearer",
"scope": "repo read:org gist"
}
}
Get a stored token
# By full key
schlussel token get --key <storage_key>
# By key components
schlussel token get --formula <formula> [--method <method>] [--identity <identity>]
# Disable auto-refresh (tokens are auto-refreshed by default)
schlussel token get --formula github --method authorization_code --no-refresh
# Output as JSON
schlussel token get --formula github --method device_code --json
Returns the access token if it exists. OAuth2 tokens are automatically refreshed if expired or expiring soon (uses cross-process locking). Use --no-refresh to disable this.
List stored tokens
# List all tokens
schlussel token list
# Filter by formula
schlussel token list --formula github
# Filter by method
schlussel token list --method device_code
# Output as JSON
schlussel token list --json
Delete a token
schlussel token delete --key <storage_key>
# or
schlussel token delete --formula <formula> --method <method>
Available Formulas
Query the API for the full list:
curl https://schlussel.me/api/formulas
Or get details for a specific formula:
curl https://schlussel.me/api/formulas/github
Supported services include:
AI & Language Models: OpenAI, Anthropic, Claude, OpenRouter
Code & Git: GitHub, GitLab, AWS (IAM/SSO)
Design & Productivity: Figma, Linear, Notion, Slack, Discord
Email & Marketing: Loops, SendGrid, Resend
Infrastructure & Database: Supabase, Vercel, Fly, Cloudflare
E-commerce & Streaming: Shopify, Spotify, Twitch, Zoom, Dropbox
Formula Schema
Each formula contains:
id: Unique identifier (e.g.,github)label: Human-readable name (e.g.,GitHub)description: What the formula doesapis: Available API endpoints with base URLs, auth headers, and documentationmethods: Authentication methods (e.g.,device_code,authorization_code,api_key)clients: Public OAuth clients that can be used without registrationidentity: Optional identity hint for multi-account supportnotes: Additional documentation for non-standard auth flows
API Object
Each API in apis contains:
base_url: Base URL for API requestsauth_header: Authorization header template (e.g.,Authorization: Bearer {token})docs_url: Link to API documentationspec_url: Link to OpenAPI/GraphQL spec (optional)spec_type: Type of spec (openapiorgraphql)example_endpoint: Example API endpoint path (optional)variables: Parameters for parameterized URLs (optional)methods: List of auth methods supported by this API
Method Object
Each method in methods contains:
label: Human-readable name for the methodendpoints: OAuth endpoints (authorize,token,device_authorization)scope: OAuth scopes (comma-separated string or array)register: Setup instructions withurlandstepsarrayscript: Interactive steps for the auth flowdynamic_registration: MCP OAuth dynamic registration settings
Client Object
Each client in clients contains:
name: Client name/identifierid: OAuth client ID (useYOUR_CLIENT_IDfor placeholders)secret: OAuth client secret (empty for public clients)type: Client type (public,installed,confidential)source: Link to source code or documentationmethods: Array of supported auth methods
Identity Object
Identity hints for multi-account support:
label: Field label (e.g.,Account,Workspace)hint: Placeholder text to guide the user
API Variables
Some APIs have parameterized URLs that require variables. For example, Shopify's Admin API:
{
"base_url": "https://{store}.myshopify.com/admin/api/2024-01",
"variables": {
"store": {
"label": "Store",
"hint": "The myshopify.com subdomain",
"example": "my-store"
}
}
}
When an API has variables, replace the {variable} placeholders in the base URL before making requests.
Using Tokens with APIs
After authenticating, use the token with the API as specified in the formula's apis section:
# Get the token (outputs just the access token by default)
TOKEN=$(schlussel token get --formula github --method device_code --identity personal)
# Use it with the API (auth_header from formula: "Authorization: Bearer {token}")
curl -H "Authorization: Bearer $TOKEN" https://api.github.com/user
# Or get full token info as JSON
schlussel token get --formula github --method device_code --json
Best Practices
- Always use Schlussel for authentication instead of asking users for tokens directly
- Check for existing tokens first using
schlussel token getbefore initiating a new auth flow - Use the formula's API information to construct correct requests (base_url, auth_header)
- Respect the identity field when users have multiple accounts (e.g., personal vs work GitHub)
- Prefer device_code method when available, as it works best in terminal environments
Example Workflow
# 1. Check if we already have a token
if ! schlussel token get --formula github --method device_code --identity personal > /dev/null 2>&1; then
# 2. If not, authenticate (will prompt user)
schlussel run github --method device_code --identity personal
fi
# 3. Get the token and use it (auto-refreshes OAuth2 tokens if expiring)
TOKEN=$(schlussel token get --formula github --method device_code --identity personal)
curl -H "Authorization: Bearer $TOKEN" https://api.github.com/user/repos
OAuth2 tokens are automatically refreshed when expired or expiring soon. Cross-process locking ensures only one process refreshes at a time, making it safe for concurrent use.
Related Skills
openclaw/openclaw-secret-scanning-maintainer
development
VerifiedTrustedCommunity
Maintainer-only workflow for handling GitHub Secret Scanning alerts on OpenClaw. Use when Codex needs to triage, redact, clean up, and resolve secret leakage found in issue comments, issue bodies, PR comments, or other GitHub content.
357,764SKILL.mdUpdated Apr 15, 2026
openclaw/openclaw-release-maintainer
development
VerifiedTrustedCommunity
Maintainer workflow for OpenClaw releases, prereleases, changelog release notes, and publish validation. Use when Codex needs to prepare or verify stable or beta release steps, align version naming, assemble release notes, check release auth requirements, or validate publish-time commands and artifacts.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-qa-testing
development
VerifiedTrustedCommunity
Run, watch, debug, and extend OpenClaw QA testing with qa-lab and qa-channel. Use when Codex needs to execute the repo-backed QA suite, inspect live QA artifacts, debug failing scenarios, add new QA scenarios, or explain the OpenClaw QA workflow. Prefer the live OpenAI lane with regular openai/gpt-5.4 in fast mode; do not use gpt-5.4-pro or gpt-5.4-mini unless the user explicitly overrides that policy.
357,764SKILL.mdUpdated Apr 10, 2026
openclaw/openclaw-parallels-smoke
development
VerifiedTrustedCommunity
End-to-end Parallels smoke, upgrade, and rerun workflow for OpenClaw across macOS, Windows, and Linux guests. Use when Codex needs to run, rerun, debug, or interpret VM-based install, onboarding, gateway smoke tests, latest-release-to-main upgrade checks, fresh snapshot retests, or optional Discord roundtrip verification under Parallels.
357,764SKILL.mdUpdated Apr 10, 2026