Acul Screen Generator
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned for generating Auth0 login screens, but it uses Auth0 tenant/account context and generated credential-handling code that should be reviewed before use.
Before installing or using this skill, make sure you are logged into the correct Auth0 tenant, use connected mode only on dev or staging tenants, verify any external GitHub examples you copy, and review generated login-page code for proper escaping before production deployment.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Commands may run against the user's Auth0 tenant, so using the wrong tenant or account could expose or affect the wrong login configuration.
The workflow asks the user to authenticate the Auth0 CLI and operate in an Auth0 tenant context, which is expected for this Auth0 screen generator but is a delegated account boundary.
Phase 0: CLI Authentication & Tenant Check: `auth0 login` and `auth0 acul config list --rendering-mode advanced`
Verify the active Auth0 tenant before running commands, prefer a dev/stage tenant, and avoid granting broader account access than needed.
If connected mode is run against production, it could change live Universal Login behavior.
The referenced CLI workflow can sync rendering settings to an Auth0 tenant. The artifact discloses this and includes a staging/dev warning, but it is still a high-impact command path.
Connected mode — updates rendering settings on tenant (stage/dev only) ... `auth0 acul dev --connected -s login-id` ... `only use on stage/dev tenants, never production.`
Require explicit user approval before connected-mode commands and use them only against non-production tenants.
Generated code may vary if upstream examples change.
The skill directs the agent to use external GitHub references on mutable `main`/`master` branches. These are purpose-aligned Auth0 sources, but their content can change over time.
`https://github.com/auth0-samples/auth0-acul-samples/tree/main/...` and `https://github.com/auth0/universal-login/blob/master/...`
For production work, verify the referenced source and consider pinning to a reviewed commit or release.
If unsafe HTML reaches these fields, a generated login page could become vulnerable to script injection.
The Vanilla JS template renders SDK-provided text and error messages through `innerHTML`. This is common template code, but dynamic HTML should be escaped if any value can be influenced by untrusted content.
const msgs = manager.getErrors().map(e => `<p>${e.message}</p>`).join('') ... container.innerHTML = ` ... ${manager.screen.texts?.title ?? 'Enter your password'} ... ${renderErrors()} ...`Escape dynamic values, render them with `textContent`/DOM APIs, or use React/JSX escaping before deploying generated Vanilla JS screens.