The Agent Skills Directory

[SAFE]: The skill implements a standard OAuth 2.0 PKCE (Proof Key for Code Exchange) flow. This is a security best practice for browser-based applications that cannot safely store a client secret, as it uses a cryptographically random verifier and challenge to secure the token exchange process.- [SAFE]: All external communications are directed to the official vendor domain openrouter.ai. This includes the authorization endpoint and the key exchange API, ensuring that user credentials and API keys are only handled by the intended service.- [SAFE]: The implementation provides strong security hygiene by using sessionStorage for the transient code_verifier to ensure it does not persist beyond the session or leak across tabs.- [SAFE]: No external packages or remote scripts are downloaded or executed. The provided code snippets rely exclusively on standard browser Web Crypto and Storage APIs.- [SAFE]: The skill includes defensive programming patterns, such as verifying the existence of an active OAuth session before processing callback parameters, which mitigates certain types of CSRF or unsolicited response attacks.

openrouter-oauth