Auth0 Expo
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: auth0-expo Version: 1.0.1 The auth0-expo skill bundle is a legitimate tool designed to automate the integration of Auth0 authentication into Expo (React Native) applications. It includes a comprehensive bootstrap script (scripts/bootstrap.mjs) that utilizes the official Auth0 CLI to discover and configure Auth0 resources, and it correctly manages Expo's app.json configuration. The instructions in SKILL.md and the supporting utility scripts (validation.mjs, auth0-api.mjs) follow standard automation patterns, include appropriate user confirmation steps, and show no signs of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong tenant or project, it can create Auth0 applications/connections or change callback/logout settings in the wrong place.
The automatic setup uses the user's Auth0 CLI session to create or update resources in an Auth0 tenant and edit the local project. This is purpose-aligned but grants meaningful account authority.
The script validates the Expo project, creates a Native Auth0 application, sets up a database connection, and writes the plugin config to app.json.
Use automatic setup only after verifying the active Auth0 tenant, reviewing the change plan, and confirming the project path. Choose manual setup if you do not want the agent/script to mutate the tenant.
Approving the prompt can modify both your Auth0 account configuration and your Expo app configuration.
The helper chains tenant changes and local file writes after a confirmation prompt. The prompt is a good control, but the operations are still high-impact setup actions.
const confirmed = await confirmWithUser("Apply these changes?") ... const client = await applyNativeClientChanges(plan.client) ... await writeAppJsonConfig(domain, config.customScheme, config.appJsonPath)Read the displayed change plan before approving, keep a backup or git diff of app.json, and abort if the tenant, callback URLs, or app name are not expected.
The helper script may install newer compatible dependency versions than those originally tested.
The setup instructions run npm install for helper dependencies specified with version ranges, and the provided manifest does not include a lockfile, so exact installed package versions may vary.
"dependencies": { "@inquirer/prompts": "^8.1.0", "execa": "^9.0.0", "ora": "^8.0.0" }Run the setup in a trusted environment, consider adding or reviewing a lockfile, and inspect dependency changes if supply-chain reproducibility matters.
Access tokens could appear in device, development, or production logs if these examples are copied directly.
Reference examples print access tokens. This appears illustrative rather than exfiltrative, but copying it into real app code could expose tokens in logs.
console.log('Access Token:', credentials.accessToken); ... console.log('API Token:', apiCredentials.accessToken);Remove token logging from generated app code and follow the skill's security guidance to avoid logging tokens in production.