browser-auth-flow

Original：🇺🇸 English

Translated

Probe a site's authentication flow for redirect leaks, missing CSRF, weak session cookies, and OAuth misconfiguration; produces an auth findings.md

4installs

Sourceruvnet/ruflo

Added on2026-05-09

NPX Install

npx skill4agent add ruvnet/ruflo browser-auth-flow

SKILL.md Content

View Translation Comparison →

Browser Auth Flow

Adversarial probe of a site's authentication. Drives the login flow once, records the trajectory, then runs a configurable set of probes against the captured artifacts and live page. Output is a structured

findings.md

inside the RVF container.

When to use

Pre-deployment audit of a new auth flow.
Investigating a suspected token leak or redirect issue.
Establishing a baseline for ongoing regression checks.

Steps

Open a recorded session via
```
browser-record
```
.
Drive the auth flow as in
```
browser-login
```
(credentials come from
```
--credentials <handle>
```
referencing
```
browser-cookies
```
if the run is a re-auth probe).
Run probes:
- csrf
  : inspect the login POST in the trajectory; verify a same-origin token field is present and non-empty.
- redirect
  : watch
```
browser_get-url
```
  after each nav for cross-origin redirects with auth state in the URL or fragment. Flag any token-bearing URL that crosses an origin boundary.
- cookie
  : walk
```
document.cookie
```
  via
```
browser_eval
```
  . For each cookie, check
```
Secure
```
  ,
```
HttpOnly
```
  ,
```
SameSite
```
  , expiry, and entropy of the value. Flag missing flags or short tokens. Pass each through
```
aidefence_scan
```
  to flag PII embedded in cookie values.
- oauth
  : if the flow involves a third-party provider, capture the authorization request, verify
```
state
```
  and
```
nonce
```
  are present and high-entropy, verify
```
redirect_uri
```
  matches the registered callback domain.
Quarantine any token / credential / PII captured during probing — it stays inside the RVF container's findings, never returns to the model unredacted (
```
aidefence_is_safe
```
gate from
```
browser-extract
```
applies if you read the findings back).
Write
findings.md
with one section per probe, severity rating per finding, and a
```
verdict
```
(pass / warn / fail).
Index the session in
```
browser-sessions
```
with
```
tag: auth-probe
```
so future audits compare against it.

Caveats

This skill probes; it does not exploit. Do not chain follow-up requests using a captured token.
Credentials must come from a vaulted handle or interactive entry. Never hardcode them in the field map.
Some probes require multiple page loads. Trajectory step count for an auth probe typically lands at 15–40 steps; budget accordingly.
The output is structured for human review. Do not auto-act on findings without surfacing them to the user first.