Auth0 Swift
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with setting up Auth0 for Swift apps, but it deserves review because it can mutate Auth0 tenant settings and includes examples that print access tokens.
Before using this skill, confirm you are in the correct Xcode project and Auth0 tenant, back up or export existing Auth0 application settings, and review the bootstrap change plan. Do not copy snippets that print access tokens. If updating an existing Auth0 application, preserve existing callback and logout URLs unless you intentionally want to replace them.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with access to those logs could potentially use the token until it expires.
The reference login example prints a bearer access token. If the agent copies this into an app, tokens could appear in device, Xcode, CI, or crash/log collection output.
print("Login successful: \(credentials.accessToken)")Do not log access tokens, ID tokens, refresh tokens, or full credential objects. Log only non-sensitive status such as "login succeeded".
Existing Auth0 callback or logout URLs could be narrowed or replaced, which may break other app environments or production login/logout flows.
The instruction updates callback and logout URL settings for an Auth0 application, but the shown workflow does not fetch and merge existing URLs before setting the new values.
auth0 apps update CLIENT_ID \ --callbacks "BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" \ --logout-urls "BUNDLE_ID://DOMAIN/ios/BUNDLE_ID/callback" \ --no-input
Before running these updates, export or inspect the current Auth0 application settings and append the new URLs rather than replacing existing ones unless replacement is intentional.
Commands will run with the permissions of the currently logged-in Auth0 account and can create or update tenant resources.
The setup uses the locally logged-in Auth0 CLI session to identify and act on the active tenant.
Check Auth0 login: `auth0 tenants list --csv --no-input 2>&1`
Use the intended Auth0 tenant, confirm the active tenant, and prefer a least-privileged account for setup.
Running npm install may fetch dependency versions that were not exactly reviewed in these artifacts.
The helper script depends on external npm packages using caret ranges, and no lockfile is shown in the manifest.
"dependencies": {
"@inquirer/prompts": "^8.1.0",
"execa": "^9.0.0",
"ora": "^8.0.0"
}Run the bootstrap in a trusted environment, consider generating/reviewing a lockfile, and pin dependency versions for reproducible setup.