Auth0 Java Mvc Common
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: auth0-java-mvc-common Version: 1.0.1 The skill bundle provides legitimate documentation and integration patterns for the Auth0 Java MVC Common SDK. It includes agent instructions for fetching the latest release version via the GitHub API and verifying project builds using standard tools like Gradle or Maven, which are consistent with its stated purpose of assisting developers with authentication setup. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found across the SKILL.md, API reference, or setup guides.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user chooses automated setup, the agent may create a new Auth0 application in the logged-in Auth0 account.
The automated setup path uses the Auth0 CLI to create an application and configure callback/logout URLs. This is aligned with the skill purpose, but it changes the user's Auth0 tenant.
auth0 apps create --name "My Java Web App" --type regular --callbacks http://localhost:3000/callback --logout-urls http://localhost:3000 --json
Use the automated path only in the intended Auth0 tenant, review the app name and URLs, or choose manual setup if you want full control.
The agent may help place Auth0 credentials in the local project environment, and mishandling those values could expose the application secret.
The skill instructs the agent/user to handle an Auth0 client secret. This is expected for a server-side OAuth web application, but it is sensitive credential material.
export AUTH0_DOMAIN="your-tenant.auth0.com" export AUTH0_CLIENT_ID="your-client-id" export AUTH0_CLIENT_SECRET="your-client-secret"
Use a development tenant when testing, keep `.env` out of source control, rotate secrets if exposed, and avoid pasting production secrets unless necessary.
Different installs may use different SDK versions depending on the current GitHub release.
The skill asks the agent to dynamically retrieve the latest dependency version from GitHub instead of using only a fixed version. This is disclosed and points to the Auth0 repository, but it can reduce reproducibility.
fetch the latest release version by running: gh api repos/auth0/auth0-java-mvc-common/releases/latest --jq '.tag_name' Use the returned version in all dependency lines
After setup, verify the selected version and pin it in Maven or Gradle for reproducible builds.