Back to skill
Skillv1.0.0
ClawScan security
Auth0 Fastify · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 15, 2026, 3:55 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- Instruction-only skill that documents how to add Auth0 session-based auth to Fastify; its requested secrets and steps are appropriate and proportional to the stated purpose.
- Guidance
- This skill is a documentation-only recipe for adding Auth0 session auth to Fastify and appears coherent. Before using: (1) do not commit .env or secrets to version control; keep AUTH0_CLIENT_SECRET and SESSION_SECRET private and rotate if exposed; (2) ensure you create a Regular Web Application in Auth0 (not SPA) and add the correct callback URL; (3) verify @auth0/auth0-fastify is the official package and review package versions from the npm registry; (4) follow Node/Fastify version requirements (Node 20, Fastify v5+). The registry metadata doesn't declare env vars (the guide does) — that's not dangerous but double-check you only provide Auth0 credentials needed for this app.
Review Dimensions
- Purpose & Capability
- okName/description match the content: SKILL.md explains integrating @auth0/auth0-fastify into Fastify apps and only asks for packages and Auth0-related config that are directly relevant.
- Instruction Scope
- okRuntime instructions are limited to installing npm packages, creating a .env with Auth0 and session secrets, and registering the plugin in Fastify. The guide does not instruct reading unrelated system files, exfiltrating data, or contacting unexpected endpoints.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or remote downloads. It recommends standard npm packages from the registry — no high-risk fetches or archive extraction are involved.
- Credentials
- okThe env vars shown in the guide (AUTH0_DOMAIN, AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET, SESSION_SECRET, APP_BASE_URL) are the expected and necessary credentials/config for Auth0 server-side integration. No unrelated credentials are requested.
- Persistence & Privilege
- okSkill is not always-enabled and does not request persistent system changes. It's a documentation/instruction skill and does not modify other skills or system-wide settings.