ClawHub

Auth0 Nuxt

Security checks across malware telemetry and agentic risk

Overview

This documentation-only Auth0/Nuxt skill is not malicious, but it needs Review because some copy-paste security examples could lead to unsafe authentication behavior.

Review carefully before using this skill as production guidance. The basic Auth0/Nuxt setup appears coherent, but do not copy the impersonation or advanced authorization examples without adding server-side enforcement, target validation, CSRF protection, short-lived state, audit logging, and tested logout/session revocation behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The examples add full user-impersonation flows even though the skill is described as Auth0/Nuxt integration guidance, not privileged admin-user switching. Impersonation is a highly sensitive capability that can normalize dangerous patterns; here it is shown without strong safeguards such as step-up auth, audit trail requirements, target validation, expiry, or explicit warning that UI-only checks are insufficient.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
This is a real security issue in the documentation: earlier examples implement authorization decisions such as admin role, permissions, subscription status, and email verification entirely in client-side route middleware via `useUser()`, while the checklist correctly states that `useUser()` must not be used for security-critical decisions. In practice, developers often copy these patterns directly, and client-side checks can be bypassed by direct SSR requests, API calls, or tampering with browser state, leading to unauthorized access if server-side enforcement is absent.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The test example is inconsistent with the documented store behavior: it stores the session under 'test-id-3' but calls deleteByLogoutToken with sid 'test-session'. Since the sample store implementations delete by sid, not by the storage key used in the test, the example falsely suggests back-channel logout works when it may leave sessions undeleted. In an authentication/session-management guide, this is security-relevant because failed logout invalidation can preserve active sessions after logout or account revocation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Presenting impersonation endpoints without any warning about sensitivity, auditability, or abuse risk encourages unsafe adoption of a dangerous administrative feature. Readers may copy the pattern into production without implementing compensating controls, creating opportunities for insider abuse, unauthorized account access, and poor forensic accountability.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal