.env.example

@@ -1,4 +1,6 @@
 # Local runtime config for client-finder skill
-# Auth is handled automatically via ~/.openclaw/.env
+# Copy to .env.local in the same folder and fill real values.
 
 AUTH_BASE=https://api-gw-test.yuanwei-lnc.com
+CLIENT_KEY=sk_xxx_replace_with_real_key
+

SKILL.md

@@ -8,7 +8,7 @@ description: "找客户、找买家、开发客户、cold outreach。当用户
 Skill-credit + ecom run-flow: query expansion → `/ecom/cold-outreach/run-flow`.
 Execution mode is fire-and-return: start workflow fast and return accepted immediately; terminal callbacks are handled by backend webhook delivery.
 
-> Auth is handled automatically by auth-runtime via `~/.openclaw/.env`.
+> Auth (CLIENT_KEY) is loaded automatically from `~/.openclaw/.env` by auth-runtime. No need to pass it.
 
 ## Run Skill
 
@@ -51,7 +51,8 @@ For client onboarding and billing flow (Chinese), read [how-to-use.md](how-to-us
 - Remove leading `cold-outreach:` prefix (case-insensitive).
 
 2. Exchange runtime token.
-- Auth handled automatically by auth-runtime.
+- auth-runtime handles this automatically via `~/.openclaw/.env`.
+- Calls `POST /auth/skill-credit/session` with `CLIENT_KEY`, caches token with TTL.
 
 3. Expand query.
 - Build candidate queries from skill logic (`rule`) or `QUERY_EXPANSION_JSON` (`llm`).

bun.lock

@@ -5,7 +5,7 @@
     "": {
       "name": "client-finder",
       "dependencies": {
-        "@clawd/auth-runtime": "file:../auth-runtime",
+        "@clawd/auth-runtime": "file:../_shared/auth-runtime",
       },
       "devDependencies": {
         "@types/bun": "latest",
@@ -17,11 +17,11 @@
     },
   },
   "packages": {
-    "@clawd/auth-runtime": ["@clawd/auth-runtime@file:../auth-runtime", { "devDependencies": { "@types/node": "^25.3.3", "typescript": "^5.9.3" } }],
+    "@clawd/auth-runtime": ["@clawd/auth-runtime@file:../_shared/auth-runtime", { "devDependencies": { "@types/node": "^25.3.3", "typescript": "^5.9.3" } }],
 
     "@types/bun": ["@types/bun@1.3.10", "", { "dependencies": { "bun-types": "1.3.10" } }, "sha512-0+rlrUrOrTSskibryHbvQkDOWRJwJZqZlxrUs1u4oOoTln8+WIXBPmAuCF35SWB2z4Zl3E84Nl/D0P7803nigQ=="],
 
-    "@types/node": ["@types/node@25.5.0", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw=="],
+    "@types/node": ["@types/node@25.3.3", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-DpzbrH7wIcBaJibpKo9nnSQL0MTRdnWttGyE5haGwK86xgMOkFLp7vEyfQPGLOJh5wNYiJ3V9PmUMDhV9u8kkQ=="],
 
     "bun-types": ["bun-types@1.3.10", "", { "dependencies": { "@types/node": "*" } }, "sha512-tcpfCCl6XWo6nCVnpcVrxQ+9AYN1iqMIzgrSKYMB/fjLtV2eyAVEg7AxQJuCq/26R6HpKWykQXuSOq/21RYcbg=="],
 

install.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-cd "$(dirname "$0")"
-
-# Auto-install auth-rt if not found
-if ! command -v auth-rt &>/dev/null && [ ! -x "$HOME/.local/bin/auth-rt" ]; then
-  echo "auth-rt not found, installing..."
-  _FORGEJO="http://192.168.0.108:3030"
-  _OS="$(uname -s | tr '[:upper:]' '[:lower:]')"
-  _ARCH="$(uname -m)"; case "$_ARCH" in x86_64) _ARCH="amd64";; aarch64) _ARCH="arm64";; esac
-  _URL="$_FORGEJO/agent-skills/auth-runtime/releases/download/latest/auth-rt-${_OS}-${_ARCH}"
-  mkdir -p "$HOME/.local/bin"
-  if curl -fsSL "$_URL" -o "$HOME/.local/bin/auth-rt" 2>/dev/null; then
-    chmod +x "$HOME/.local/bin/auth-rt"
-    echo "auth-rt installed (downloaded)"
-  else
-    echo "Download failed, building from source..."
-    _SRC="$HOME/.local/share/auth-runtime"
-    if [ -d "$_SRC/.git" ]; then git -C "$_SRC" pull --ff-only
-    else git clone --depth 1 "$_FORGEJO/agent-skills/auth-runtime.git" "$_SRC"
-    fi
-    bash "$_SRC/install.sh"
-  fi
-fi
-
-npm install

package.json

@@ -18,5 +18,7 @@
   "peerDependencies": {
     "typescript": "^5.0.0"
   },
-  "dependencies": {}
+  "dependencies": {
+    "@clawd/auth-runtime": "git+http://192.168.0.108:3030/agent-skills/auth-runtime.git"
+  }
 }

scripts/run.ts

@@ -87,7 +87,7 @@ async function main(): Promise<void> {
   if (parsed.clientKey) process.env.CLIENT_KEY = parsed.clientKey;
   if (parsed.authBase) process.env.AUTH_BASE = parsed.authBase;
 
-  const result = await runClientFinder(parsed.query, parsed.country || 'US', parsed.dryRun);
+  const result = await runClientFinder(parsed.query, parsed.country, parsed.dryRun);
 
   console.log(JSON.stringify(result, null, 2));
 }

src/auth-cli.ts

@@ -1,119 +0,0 @@
-/**
- * Thin CLI wrapper for auth-runtime.
- *
- * Copy this file into your skill's src/ directory. It calls the
- * `auth-rt` binary (a standalone Go executable), so the skill has
- * zero npm/runtime dependency on auth-runtime.
- *
- * Prerequisites:
- *   `auth-rt` must be in PATH or at ~/.local/bin/auth-rt
- *   (install.sh handles this automatically)
- *
- * Usage:
- *   import { createSkillClient } from './auth-cli.ts';
- *   const client = createSkillClient();
- *   const res = await client.post('/ecom/tasks/scrape', { url: '...' });
- */
-
-import { spawnSync } from 'child_process';
-import * as path from 'path';
-import * as os from 'os';
-
-const home = process.env.HOME || os.homedir();
-const AUTH_RT_BIN = process.env.AUTH_RT_BIN
-  || (() => {
-    // Check if auth-rt is in PATH
-    const which = spawnSync('which', ['auth-rt'], { encoding: 'utf-8' });
-    if (which.status === 0 && which.stdout.trim()) {
-      return which.stdout.trim();
-    }
-    return path.join(home, '.local', 'bin', 'auth-rt');
-  })();
-
-export interface ApiResponse {
-  status: number;
-  body: string;
-}
-
-export interface SessionResponse {
-  accessToken: string;
-  expiresIn: number;
-  ownerSessionToken?: string;
-  hookUrl?: string;
-  hookToken?: string;
-}
-
-export interface SkillClientOptions {
-  apiBase?: string;
-  dryRun?: boolean;
-}
-
-function runCli(...args: string[]): string {
-  const result = spawnSync(AUTH_RT_BIN, args, {
-    encoding: 'utf-8',
-    timeout: 60_000,
-  });
-
-  if (result.error) {
-    throw new Error(`auth-rt spawn failed: ${result.error.message}`);
-  }
-  if (result.status !== 0) {
-    throw new Error(`auth-rt failed (exit ${result.status}): ${(result.stderr || '').trim()}`);
-  }
-  return (result.stdout || '').trim();
-}
-
-export class SkillClient {
-  private readonly apiBase?: string;
-  private readonly dryRun: boolean;
-
-  constructor(options: SkillClientOptions = {}) {
-    this.apiBase = options.apiBase;
-    this.dryRun = options.dryRun ?? false;
-  }
-
-  async session(): Promise<SessionResponse> {
-    if (this.dryRun) {
-      return { accessToken: '<dry-run-token>', expiresIn: 900 };
-    }
-    return JSON.parse(runCli('session'));
-  }
-
-  async get(urlPath: string): Promise<ApiResponse> {
-    return this.request('GET', urlPath);
-  }
-
-  async post(urlPath: string, body?: unknown): Promise<ApiResponse> {
-    return this.request('POST', urlPath, body);
-  }
-
-  async put(urlPath: string, body?: unknown): Promise<ApiResponse> {
-    return this.request('PUT', urlPath, body);
-  }
-
-  async patch(urlPath: string, body?: unknown): Promise<ApiResponse> {
-    return this.request('PATCH', urlPath, body);
-  }
-
-  async delete(urlPath: string, body?: unknown): Promise<ApiResponse> {
-    return this.request('DELETE', urlPath, body);
-  }
-
-  private async request(method: string, urlPath: string, body?: unknown): Promise<ApiResponse> {
-    if (this.dryRun) {
-      return { status: 200, body: JSON.stringify({ dryRun: true, method, path: urlPath }) };
-    }
-    const args = ['request', method, urlPath];
-    if (body != null) {
-      args.push('--body', JSON.stringify(body));
-    }
-    if (this.apiBase) {
-      args.push('--api-base', this.apiBase);
-    }
-    return JSON.parse(runCli(...args));
-  }
-}
-
-export function createSkillClient(options?: SkillClientOptions): SkillClient {
-  return new SkillClient(options);
-}

src/index.ts

@@ -1,80 +1,199 @@
-import type { OutputResult } from './types.js';
-import { createSkillClient } from './auth-cli.ts';
+import type { EnvConfig, OutputResult } from './types.js';
+import { createEnvConfig as createBaseEnvConfig, getAccessToken } from '@clawd/auth-runtime';
 import { normalizeQuery, resolveExpansion } from './expansion.js';
 import { startWorkflow } from './workflow.js';
 
-export async function runClientFinder(
-  query: string,
-  country: string = 'US',
-  dryRun: boolean = false,
-): Promise<OutputResult> {
-  if (!query) {
-    return result('failed', { error: 'missing query argument' });
-  }
-
-  const rawQuery = normalizeQuery(query);
-  const countryUpper = country.toUpperCase();
-  const llmExpansion = process.env.QUERY_EXPANSION_JSON || '';
-  const expansion = resolveExpansion(rawQuery, countryUpper, llmExpansion);
-
-  // Build expansion context
-  const ctx: Partial<OutputResult> = {
-    inputQuery: rawQuery,
-    expandedQueries: expansion.expandedQueries,
-    primaryQuery: expansion.primaryQuery,
-    expansionStatus: expansion.ok ? 'success' : 'failed',
-    expansionSource: expansion.expansionSource,
-    expansionError: expansion.error || null,
-    usedFallbackQuery: false,
+/**
+ * Create client-finder specific environment configuration
+ * Extends the shared auth config with skill-specific fields
+ */
+function createEnvConfig(): EnvConfig {
+  const baseConfig = createBaseEnvConfig();
+  return {
+    ...baseConfig,
+    queryExpansionJson: process.env.QUERY_EXPANSION_JSON || '',
   };
-
-  // Handle expansion failure — fallback to raw query
-  if (!expansion.ok) {
-    if (!rawQuery) {
-      return result('failed', { ...ctx, error: expansion.error || 'query is empty' });
-    }
-    ctx.primaryQuery = rawQuery;
-    ctx.expandedQueries = [rawQuery];
-    ctx.expansionSource = 'raw_query';
-    ctx.expansionError = `query expansion failed: ${expansion.error}; fallback to raw query`;
-    ctx.usedFallbackQuery = true;
-  }
-
-  if (!ctx.primaryQuery) {
-    return result('failed', { ...ctx, error: 'primary query is empty after expansion' });
-  }
-
-  if (dryRun) {
-    return result('success', { ...ctx, workflowStatus: 'dry_run' });
-  }
-
-  let client;
-  try {
-    client = createSkillClient();
-  } catch (error) {
-    return result('failed', { ...ctx, error: error instanceof Error ? error.message : String(error) });
-  }
-
-  const wf = await startWorkflow(client, ctx.primaryQuery, country.toLowerCase());
-
-  if (!wf.workflowId) {
-    return result('failed', { ...ctx, error: `start failed: ${wf.error}` });
-  }
-
-  return result('success', { ...ctx, workflowId: wf.workflowId, workflowStatus: 'accepted' });
 }
 
-function result(status: 'success' | 'failed', overrides: Partial<OutputResult> = {}): OutputResult {
+/**
+ * Main entry point for client-finder skill
+ */
+export async function runClientFinder(
+  query: string,
+  country: string,
+  dryRun: boolean = false,
+): Promise<OutputResult> {
+  const config = createEnvConfig();
+
+  // Validate query
+  if (!query) {
+    return createFailedResult('', 'missing query argument');
+  }
+
+  // Normalize query
+  const rawQuery = normalizeQuery(query);
+  const countryUpper = country.toUpperCase();
+  const countryLower = country.toLowerCase();
+
+  // Resolve expansion
+  const expansion = resolveExpansion(
+    rawQuery,
+    countryUpper,
+    config.queryExpansionJson,
+  );
+
+  let expandedQueries = expansion.expandedQueries;
+  let primaryQuery = expansion.primaryQuery;
+  let expansionStatus = expansion.ok ? 'success' : ('failed' as const);
+  let expansionSource = expansion.expansionSource;
+  let expansionError = expansion.error || '';
+  let usedFallbackQuery = false;
+
+  // Handle expansion failure
+  if (!expansion.ok) {
+    if (rawQuery) {
+      primaryQuery = rawQuery;
+      expandedQueries = [rawQuery];
+      expansionSource = 'raw_query';
+      expansionError = `query expansion failed: ${expansion.error}; fallback to raw query`;
+      usedFallbackQuery = true;
+    } else {
+      expansionError = expansionError || 'query expansion failed: primary query is empty';
+      return createFailedResult(
+        rawQuery,
+        expansionError,
+        expandedQueries,
+        primaryQuery,
+        expansionStatus,
+        expansionSource,
+        expansionError,
+        usedFallbackQuery,
+      );
+    }
+  }
+
+  // Validate primary query
+  if (!primaryQuery) {
+    expansionError = expansionError || 'query expansion failed: primary query is empty';
+    return createFailedResult(
+      rawQuery,
+      expansionError,
+      expandedQueries,
+      primaryQuery,
+      expansionStatus,
+      expansionSource,
+      expansionError,
+      usedFallbackQuery,
+    );
+  }
+
+  // Dry run mode
+  if (dryRun) {
+    return createSuccessResult(
+      rawQuery,
+      expandedQueries,
+      primaryQuery,
+      expansionStatus,
+      expansionSource,
+      expansionError,
+      usedFallbackQuery,
+      '',
+      'dry_run',
+    );
+  }
+
+  // Validate CLIENT_KEY in live mode
+  if (!config.clientKey) {
+    return createFailedResult(
+      rawQuery,
+      'missing required env: CLIENT_KEY',
+      expandedQueries,
+      primaryQuery,
+      expansionStatus,
+      expansionSource,
+      expansionError,
+      usedFallbackQuery,
+    );
+  }
+
+  // Step 1: Exchange CLIENT_KEY for runtime access token
+  let accessToken = '';
+  try {
+    accessToken = await getAccessToken(dryRun, config);
+  } catch (error) {
+    const errorMsg = error instanceof Error ? error.message : 'failed to exchange skill session token';
+    return createFailedResult(
+      rawQuery,
+      errorMsg,
+      expandedQueries,
+      primaryQuery,
+      expansionStatus,
+      expansionSource,
+      expansionError,
+      usedFallbackQuery,
+    );
+  }
+
+  // Step 2: Start workflow with runtime access token
+  const workflowResult = await startWorkflow(
+    config,
+    dryRun,
+    accessToken,
+    primaryQuery,
+    countryLower,
+  );
+
+  if (!workflowResult.workflowId) {
+    return createFailedResult(
+      rawQuery,
+      `start failed: ${workflowResult.error}`,
+      expandedQueries,
+      primaryQuery,
+      expansionStatus,
+      expansionSource,
+      expansionError,
+      usedFallbackQuery,
+    );
+  }
+
+  // Step 3: Return accepted immediately
+  return createSuccessResult(
+    rawQuery,
+    expandedQueries,
+    primaryQuery,
+    expansionStatus,
+    expansionSource,
+    expansionError,
+    usedFallbackQuery,
+    '',
+    'accepted',
+    workflowResult.workflowId,
+  );
+}
+
+/**
+ * Create a failed result
+ */
+function createFailedResult(
+  inputQuery: string,
+  error: string,
+  expandedQueries: string[] = [],
+  primaryQuery: string = '',
+  expansionStatus: 'success' | 'failed' = 'failed',
+  expansionSource: 'llm' | 'rule' | 'raw_query' | '' = '',
+  expansionError: string | null = null,
+  usedFallbackQuery: boolean = false,
+): OutputResult {
   return {
-    status,
-    error: null,
-    inputQuery: '',
-    expandedQueries: [],
-    primaryQuery: '',
-    expansionStatus: 'failed',
-    expansionSource: '',
-    expansionError: null,
-    usedFallbackQuery: false,
+    status: 'failed',
+    error: error || null,
+    inputQuery,
+    expandedQueries,
+    primaryQuery,
+    expansionStatus,
+    expansionSource,
+    expansionError: expansionError || null,
+    usedFallbackQuery,
     runId: '',
     workflowId: '',
     workflowStatus: '',
@@ -83,6 +202,41 @@ function result(status: 'success' | 'failed', overrides: Partial<OutputResult> =
     businessesCount: 0,
     contactsCount: 0,
     uniqueContactDomains: 0,
-    ...overrides,
+  };
+}
+
+/**
+ * Create a success result
+ */
+function createSuccessResult(
+  inputQuery: string,
+  expandedQueries: string[],
+  primaryQuery: string,
+  expansionStatus: 'success' | 'failed',
+  expansionSource: 'llm' | 'rule' | 'raw_query' | '',
+  expansionError: string | null,
+  usedFallbackQuery: boolean,
+  runId: string,
+  workflowStatus: string,
+  workflowId: string = '',
+): OutputResult {
+  return {
+    status: 'success',
+    error: null,
+    inputQuery,
+    expandedQueries,
+    primaryQuery,
+    expansionStatus,
+    expansionSource,
+    expansionError,
+    usedFallbackQuery,
+    runId,
+    workflowId,
+    workflowStatus,
+    billingReserveStatus: 'SKIPPED',
+    billingFinalizeStatus: 'SKIPPED',
+    businessesCount: 0,
+    contactsCount: 0,
+    uniqueContactDomains: 0,
   };
 }

src/types.ts

@@ -1,3 +1,5 @@
+import type { EnvConfig as BaseEnvConfig } from '@clawd/auth-runtime';
+
 /**
  * Query expansion result from LLM or rule-based logic
  */
@@ -43,3 +45,10 @@ export interface OutputResult {
   uniqueContactDomains: number;
 }
 
+/**
+ * Client-finder specific environment configuration
+ * Extends the shared auth config with skill-specific fields
+ */
+export interface EnvConfig extends BaseEnvConfig {
+  queryExpansionJson: string;
+}

src/workflow.ts

@@ -1,4 +1,5 @@
-import type { SkillClient } from './auth-cli.ts';
+import { requestApiWithAutoRefresh } from '@clawd/auth-runtime';
+import type { EnvConfig as AuthEnvConfig } from '@clawd/auth-runtime';
 import { WorkflowStartResponse } from './types.js';
 
 /**
@@ -17,15 +18,26 @@ export function parseWorkflowId(responseBody: string): string {
  * Start cold outreach workflow
  */
 export async function startWorkflow(
-  client: SkillClient,
+  config: AuthEnvConfig,
+  dryRun: boolean,
+  accessToken: string,
   query: string,
   country: string,
 ): Promise<{ workflowId: string; error: string }> {
-  const result = await client.post('/ecom/cold-outreach/run-flow', {
+  const payload = JSON.stringify({
     query,
     country,
   });
 
+  const result = await requestApiWithAutoRefresh(
+    'POST',
+    `${config.authBase}/ecom/cold-outreach/run-flow`,
+    dryRun,
+    config,
+    payload,
+    accessToken,
+  );
+
   if (result.status < 200 || result.status >= 300) {
     const error = parseError(result.body);
     return {