Auth0 Spa Js
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with Auth0 SPA setup, but its bundled bootstrap code can read and rewrite an existing .env file and mutate an Auth0 tenant, which deserves review before use.
This skill appears intended for legitimate Auth0 SPA setup, but do not run the bootstrap blindly. Confirm you are logged into the correct Auth0 tenant, review any planned tenant changes, and avoid running the .env writer in projects whose .env file contains unrelated secrets unless you have inspected or adjusted the script.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run in a project with secrets in .env, the helper loads those secrets into the bootstrap process while updating Auth0 configuration.
The bootstrap helper reads the full existing .env file before merging Auth0 values. Existing .env files may contain unrelated secrets, and this contrasts with the setup guide's warning not to read .env contents during setup.
if (fs.existsSync(envFilePath)) {
content = fs.readFileSync(envFilePath, "utf-8")
}Review the script before running it. Prefer manually adding only the Auth0 domain and client ID, or modify the helper to append/update only known Auth0 keys without reading unrelated secret values.
Running the bootstrap can make persistent changes in your Auth0 tenant, not just in your local project files.
The automation can use the logged-in Auth0 CLI account to change tenant configuration by enabling the new client on an Auth0 database connection.
await auth0ApiCall("patch", `connections/${existing.id}`, {
enabled_clients: updatedClients,
})Run it only while logged into the intended Auth0 tenant, inspect the displayed change plan, and confirm that updating the database connection is desired.
If followed, this runs code downloaded from GitHub on the user's machine.
The setup guide documents installing Auth0 CLI by piping a remote script to the shell. This is a common CLI install pattern but depends on the remote script source at install time.
curl -sSfL https://raw.githubusercontent.com/auth0/auth0-cli/main/install.sh | sh -s -- -b /usr/local/bin
Use Auth0's official installation instructions, verify the source, or prefer a package-manager installation when possible.
The agent may execute the project's build commands and make repeated code changes during verification.
The skill tells the agent to run the project's build script and iteratively fix build errors. This is normal for a coding integration task, but npm scripts execute local project-defined commands.
After completing the integration, build the project to verify it compiles successfully: > ```bash > npm run build > ``` > If the build fails, analyze the error output and fix the issues.
Use in trusted project directories and review changes after the build-fix loop.