ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clerk Auth

v0.1.0

Clerk auth with API Keys beta (Dec 2025), Next.js 16 proxy.ts (March 2025 CVE context), API version 2025-11-10 breaking changes, clerkMiddleware() options, webhooks, production considerations (GCP outages), and component reference. Prevents 15 documented errors. Use when: API keys for users/orgs, Next.js 16 middleware filename, troubleshooting JWKS/CSRF/JWT/token-type-mismatch errors, webhook verification, user type inconsistencies, or testing with 424242 OTP.

0· 1.6k·1 current·1 all-time
byVeera@veeramanikandanr48
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name and description match the included content (Next.js/React/Workers Clerk auth guidance, middleware, webhooks, testing, and JWT templates). The code files (templates and scripts) are consistent with a Clerk integration skill — requiring secret keys and webhook secrets is expected for this purpose. However, the package metadata declares no required environment variables or primary credential while the instructions and scripts clearly expect CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY, CLERK_WEBHOOK_SECRET, and testing tokens. That metadata omission is an incoherence that reduces transparency.
Instruction Scope
The SKILL.md and the companion 'clerk-setup' agent provide explicit runtime steps that read the repo (grep/find), check environment files, create .env.local/.dev.vars, call Clerk APIs, and run helper scripts (generate-session-token.js). Those actions are within the stated purpose (setup, verification, testing), but they do include searching the filesystem for CLERK vars and examples that involve handling secrets — which is sensitive. The instructions also recommend commands that will store secrets into Cloudflare (wrangler secret put) and show curl examples using sk_test keys; these are expected but require careful handling.
Install Mechanism
There is no install spec (instruction-only with bundled templates/scripts). That is low risk from an installation perspective because nothing is automatically downloaded or extracted from untrusted URLs. The included scripts and templates are present in the bundle for local review/execution.
!
Credentials
The skill references multiple sensitive environment variables (CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY, CLERK_WEBHOOK_SECRET, CLERK_TESTING_TOKEN) and instructs generating and using session/testing tokens. Yet the registry metadata lists no required env vars or primary credential. This mismatch is a transparency/permission concern: the skill will only be useful if you provide secrets, and the agent workflows will search for and manipulate files containing them. Requesting secrets is appropriate for Clerk tasks, but the metadata should explicitly declare this.
Persistence & Privilege
always:false (good). The included 'clerk-setup' agent is configured with tools that permit filesystem and network interaction (Read, Write, Edit, Bash, Grep, Glob, WebFetch). Those capabilities are reasonable for an automated setup agent, but they raise the usual risk: if you allow the agent to run autonomously it can read .env files, run shell commands, and make network calls using any keys it finds. No evidence it modifies other skills or requests permanent platform-level presence.
What to consider before installing
What to consider before installing: - Metadata mismatch: The skill's manifest declares no required environment variables, but the instructions and scripts clearly need Clerk secrets (CLERK_SECRET_KEY, CLERK_PUBLISHABLE_KEY, CLERK_WEBHOOK_SECRET, testing tokens). Treat that as a transparency issue — confirm which secrets you must provide and why before running anything. - Review files locally first: Inspect scripts/generate-session-token.js and other templates for any unexpected network endpoints or behavior. The bundle appears to call official Clerk endpoints (api.clerk.com) which is expected; confirm there are no hidden/obfuscated endpoints. - Use test keys / least privilege: Do not supply production secret keys to the skill or the agent. Use ephemeral or test keys (sk_test_*) and review results before using production credentials. - Limit agent permissions: If the platform asks to grant the skill/agent filesystem or shell access, restrict it or run the setup steps manually in a sandboxed environment. The 'clerk-setup' agent will grep files and can read .env files — avoid exposing secrets accidentally. - Verify webhook & Cloudflare instructions: The skill tells you to run 'wrangler secret put' and to store webhook secrets. Follow best practices (store secrets in dedicated secret stores, don't commit .env files, use CI secrets for CI runs). - Sanity checks: Run the helper scripts in an isolated environment, grep the repo for any unexpected hard-coded tokens, and ensure the skill's code matches the official Clerk docs for any security-sensitive operations. If you want higher confidence, provide the skill author/source verification (homepage/repo owner) or request the required env vars be declared in the registry metadata and remove any overly-broad agent automation so you can run steps manually.

Like a lobster shell, security has layers — review code before you run it.

latestvk974xjjd4xt1e499xxh3d7vsa5808zbh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments