critical
suspicious.exposed_secret_literal
- Location
- assets/js-templates/login-password.js:106
- Finding
- File appears to expose a hardcoded API secret or token.
Acul Screen Generator
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Commands may run against the user's Auth0 tenant, so using the wrong tenant or account could expose or affect the wrong login configuration.
Why it was flagged
The workflow asks the user to authenticate the Auth0 CLI and operate in an Auth0 tenant context, which is expected for this Auth0 screen generator but is a delegated account boundary.
Skill content
Phase 0: CLI Authentication & Tenant Check: `auth0 login` and `auth0 acul config list --rendering-mode advanced`
Recommendation
Verify the active Auth0 tenant before running commands, prefer a dev/stage tenant, and avoid granting broader account access than needed.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If connected mode is run against production, it could change live Universal Login behavior.
Why it was flagged
The referenced CLI workflow can sync rendering settings to an Auth0 tenant. The artifact discloses this and includes a staging/dev warning, but it is still a high-impact command path.
Skill content
Connected mode — updates rendering settings on tenant (stage/dev only) ... `auth0 acul dev --connected -s login-id` ... `only use on stage/dev tenants, never production.`
Recommendation
Require explicit user approval before connected-mode commands and use them only against non-production tenants.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Generated code may vary if upstream examples change.
Why it was flagged
The skill directs the agent to use external GitHub references on mutable `main`/`master` branches. These are purpose-aligned Auth0 sources, but their content can change over time.
Skill content
`https://github.com/auth0-samples/auth0-acul-samples/tree/main/...` and `https://github.com/auth0/universal-login/blob/master/...`
Recommendation
For production work, verify the referenced source and consider pinning to a reviewed commit or release.
NoteMedium Confidence
ASI05: Unexpected Code ExecutionWhat this means
If unsafe HTML reaches these fields, a generated login page could become vulnerable to script injection.
Why it was flagged
The Vanilla JS template renders SDK-provided text and error messages through `innerHTML`. This is common template code, but dynamic HTML should be escaped if any value can be influenced by untrusted content.
Skill content
const msgs = manager.getErrors().map(e => `<p>${e.message}</p>`).join('') ... container.innerHTML = ` ... ${manager.screen.texts?.title ?? 'Enter your password'} ... ${renderErrors()} ...`Recommendation
Escape dynamic values, render them with `textContent`/DOM APIs, or use React/JSX escaping before deploying generated Vanilla JS screens.