oauth-login
Facilitates OAuth login flows by automating browser interactions and securely storing tokens for verification.
Install this skill
Security score
The oauth-login skill was audited on Mar 1, 2026 and we found 34 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 296 | ```bash |
Curl to non-GitHub URL
| 179 | curl -sf http://localhost:3847/ -o /dev/null 2>&1 || echo "WARNING: Callback server may not have started" |
Curl to non-GitHub URL
| 182 | **Verify server is listening** before proceeding by running `curl -sf http://localhost:3847/ -o /dev/null` and checking the exit code. If the server failed to start (port in use, Node.js error), check |
Curl to non-GitHub URL
| 254 | curl -s -X POST https://oauth2.googleapis.com/token \ |
Curl to non-GitHub URL
| 282 | curl -s -H "Authorization: Bearer $ACCESS_TOKEN" https://www.googleapis.com/oauth2/v2/userinfo |
Curl to non-GitHub URL
| 287 | curl -s -H "Authorization: Bearer $ACCESS_TOKEN" https://api.github.com/user |
Curl to non-GitHub URL
| 366 | curl -s -X POST https://oauth2.googleapis.com/token \ |
Access to .env file
| 9 | consent page, waits for callback, and stores tokens in the project's `.env` file. |
Access to .env file
| 61 | - [ ] Step 10: Store tokens in .env |
Access to .env file
| 85 | Read `.env` file and check for existing OAuth tokens: |
Access to .env file
| 88 | grep -E "^OAUTH_(GOOGLE|GITHUB)_" .env 2>/dev/null || true |
Access to .env file
| 121 | Add to `.env`: |
Access to .env file
| 128 | After writing to `.env`, read back the file to confirm the credentials were stored correctly. If the `.env` file does not exist yet, create it first. |
Access to .env file
| 294 | Calculate expiry timestamp and store in `.env`: |
Access to .env file
| 300 | Add/update in `.env`: |
Access to .env file
| 308 | After writing tokens to `.env`, read back the file to verify the token variables are present and non-empty. Do not proceed to the next step if tokens are missing. |
Access to .env file
| 341 | Access Token: Stored in .env as OAUTH_{PROVIDER}_ACCESS_TOKEN |
Access to .env file
| 360 | 1. Read `OAUTH_{PROVIDER}_REFRESH_TOKEN` from `.env` |
Access to .env file
| 373 | 4. Update `OAUTH_{PROVIDER}_ACCESS_TOKEN` and `OAUTH_{PROVIDER}_TOKEN_EXPIRY` in `.env` |
Access to .env file
| 415 | - Client secrets are stored in `.env` which should be in `.gitignore` |
External URL reference
| 33 | - Go to https://console.cloud.google.com/apis/credentials |
External URL reference
| 35 | - Add authorized redirect URI: `http://localhost:3847/oauth/callback` |
External URL reference
| 40 | - Set callback URL: `http://localhost:3847/oauth/callback` |
External URL reference
| 168 | console.log('OAuth callback server listening on http://localhost:3847'); |
External URL reference
| 179 | curl -sf http://localhost:3847/ -o /dev/null 2>&1 || echo "WARNING: Callback server may not have started" |
External URL reference
| 182 | **Verify server is listening** before proceeding by running `curl -sf http://localhost:3847/ -o /dev/null` and checking the exit code. If the server failed to start (port in use, Node.js error), check |
External URL reference
| 188 | https://accounts.google.com/o/oauth2/v2/auth? |
External URL reference
| 190 | redirect_uri=http://localhost:3847/oauth/callback& |
External URL reference
| 201 | redirect_uri=http://localhost:3847/oauth/callback& |
External URL reference
| 254 | curl -s -X POST https://oauth2.googleapis.com/token \ |
External URL reference
| 258 | -d "redirect_uri=http://localhost:3847/oauth/callback" \ |
External URL reference
| 282 | curl -s -H "Authorization: Bearer $ACCESS_TOKEN" https://www.googleapis.com/oauth2/v2/userinfo |
External URL reference
| 287 | curl -s -H "Authorization: Bearer $ACCESS_TOKEN" https://api.github.com/user |
External URL reference
| 366 | curl -s -X POST https://oauth2.googleapis.com/token \ |
Install this skill with one command
/learn @benjaminshoemaker/oauth-login