Auth0 Cli
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: auth0-cli Version: 1.0.1 The auth0-cli skill bundle is a comprehensive and well-documented reference for the official Auth0 CLI tool, designed to help an AI agent manage Auth0 tenants. It provides detailed instructions and examples for managing applications, users, roles, and security settings in SKILL.md and references/cli.md, supported by a thorough suite of functional tests in tests/evals.json. No indicators of malicious intent, such as data exfiltration, unauthorized execution, or deceptive prompt injection, were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, direct API calls could change sensitive Auth0 tenant settings beyond the user’s immediate intent.
The skill explicitly supports direct Management API use, which is powerful and can bypass narrower CLI workflows, but this is disclosed and aligned with the Auth0 administration purpose.
or when you need to call the Auth0 Management API directly
Prefer dedicated scoped CLI commands when available, and require the user to confirm the tenant, endpoint, method, and payload before direct Management API calls.
A mistaken command could delete or alter Auth0 resources and disrupt login flows for applications or users.
The reference documents a no-confirm delete command for Auth0 applications. This is a legitimate CLI option, but destructive tenant changes are high impact.
auth0 apps delete <client-id> --force # skip confirmation
Do not use --force or destructive commands unless the user has explicitly confirmed the exact resource and tenant.
Anyone with these credentials may be able to administer the Auth0 tenant depending on granted scopes.
The CLI can authenticate with machine credentials. This is expected for Auth0 CI/CD administration, but those credentials are sensitive.
auth0 login --domain <tenant>.auth0.com --client-id <id> --client-secret <secret>
Use least-privilege Auth0 applications and scopes, avoid pasting secrets into chat unless necessary, and rotate any exposed secrets.
Secrets may appear in the terminal or agent context and could be accidentally shared or retained.
The documented CLI can display Auth0 client secrets and signing keys in output. This is purpose-aligned but sensitive.
`--reveal-secrets` | `-r` | Show client secret and signing keys
Only reveal secrets when necessary, keep outputs out of shared logs/chats, and redact secrets before sharing command results.
The installed Auth0 CLI will run locally with the user’s account permissions and authenticated Auth0 access.
The skill depends on installing and running an external CLI binary via Homebrew, which is normal for this purpose but still a supply-chain dependency.
brew | package: auth0/auth0-cli/auth0 | creates binaries: auth0
Install from the expected Auth0 Homebrew tap, keep the CLI updated, and verify commands before running them against production tenants.