critical
suspicious.exposed_secret_literal
- Location
- references/integration.md:118
- Finding
- File appears to expose a hardcoded API secret or token.
Auth0 Java Mvc Common
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.exposed_secret_literal
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If the user chooses automated setup, the agent may create a new Auth0 application in the logged-in Auth0 account.
Why it was flagged
The automated setup path uses the Auth0 CLI to create an application and configure callback/logout URLs. This is aligned with the skill purpose, but it changes the user's Auth0 tenant.
Skill content
auth0 apps create --name "My Java Web App" --type regular --callbacks http://localhost:3000/callback --logout-urls http://localhost:3000 --json
Recommendation
Use the automated path only in the intended Auth0 tenant, review the app name and URLs, or choose manual setup if you want full control.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
The agent may help place Auth0 credentials in the local project environment, and mishandling those values could expose the application secret.
Why it was flagged
The skill instructs the agent/user to handle an Auth0 client secret. This is expected for a server-side OAuth web application, but it is sensitive credential material.
Skill content
export AUTH0_DOMAIN="your-tenant.auth0.com" export AUTH0_CLIENT_ID="your-client-id" export AUTH0_CLIENT_SECRET="your-client-secret"
Recommendation
Use a development tenant when testing, keep `.env` out of source control, rotate secrets if exposed, and avoid pasting production secrets unless necessary.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Different installs may use different SDK versions depending on the current GitHub release.
Why it was flagged
The skill asks the agent to dynamically retrieve the latest dependency version from GitHub instead of using only a fixed version. This is disclosed and points to the Auth0 repository, but it can reduce reproducibility.
Skill content
fetch the latest release version by running: gh api repos/auth0/auth0-java-mvc-common/releases/latest --jq '.tag_name' Use the returned version in all dependency lines
Recommendation
After setup, verify the selected version and pin it in Maven or Gradle for reproducible builds.