Auth0 Fastapi Api
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: auth0-fastapi-api Version: 1.0.1 The skill bundle provides a legitimate integration for Auth0 authentication within FastAPI applications using the 'auth0-fastapi-api' package. It includes comprehensive documentation for JWT validation, DPoP support, and scope-based authorization. The instructions for the AI agent (SKILL.md) prioritize security and user consent, explicitly directing the agent to ask for permission before running CLI scripts and warning it never to read the contents of the '.env' file to prevent secret leakage into the LLM context. No indicators of data exfiltration, malicious execution, or harmful prompt injection were found; the content aligns with standard security best practices for API authentication.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you choose the automated path, the agent may make real changes in your Auth0 account and local project files.
The skill may direct the agent to run CLI automation that mutates an Auth0 tenant and writes a local config file; the same section also requires the agent to ask the user before proceeding, making this purpose-aligned but still worth review.
"Automated — I'll run Auth0 CLI scripts that create the resource and write the exact values to your `.env` automatically."
Use the manual path or ask to review each command first if you are unsure; confirm the target Auth0 tenant, API identifier, and how .env will be created or updated.
The agent may operate with your Auth0 account privileges during setup.
The setup flow depends on an authenticated Auth0 CLI session and uses that delegated account access to create an API resource.
auth0 login --no-input # Create an Auth0 API resource auth0 apis create \
Run this in the intended tenant, prefer least-privileged/test environments where possible, and do not share Auth0 tokens, client secrets, or copied access tokens in chat unless strictly necessary.
Your project may receive whatever package versions are current at install time, including beta SDK changes.
The skill instructs installation of external packages without pinned versions; the same document notes the SDK is currently beta.
pip install auth0-fastapi-api python-dotenv
Verify the package source, consider pinning versions, and review dependency updates before using in production.
If you reuse that example with a shared Redis database and the clear method is called, unrelated cached data could be removed.
The advanced Redis cache adapter example clears the entire selected Redis database, which could affect unrelated application data if copied into a shared Redis database.
def clear(self):
self.redis.flushdb()Use a dedicated Redis database or implement key-prefix-based deletion instead of flushdb for an Auth0 cache adapter.