Express Oauth2 Jwt Bearer
PassAudited by ClawScan on May 6, 2026.
Overview
This skill appears purpose-aligned for adding Auth0 JWT validation, but its optional setup automation can install helper packages, use your logged-in Auth0 account, create an API, and update a .env file.
This skill is reasonable to use for an Auth0-protected Express API. Before running automatic setup, make sure the Auth0 CLI is logged into the correct tenant, inspect the helper script and npm dependencies, and confirm that writing `.env` files and creating an Auth0 API resource are actions you want the agent to perform.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run against the wrong Auth0 tenant or project path, it could create a resource in the wrong account and write matching configuration locally.
Automatic setup uses the user's logged-in Auth0 CLI session and can create an Auth0 API plus write configuration into the project.
Verify logged in: `auth0 tenants list --csv --no-input` ... Create the Auth0 API (Resource Server) ... Write the `.env` configuration file
Before using automatic setup, confirm the active Auth0 tenant, review the displayed change plan, and use manual setup if you are unsure.
Running the helper may install third-party npm packages and execute setup code on your machine.
The setup flow downloads npm dependencies for the helper script and then executes that local bootstrap code.
cd <skill-dir>/scripts && npm install && node bootstrap.mjs <project-path>
Review `scripts/package.json` and the bootstrap script first, and run the command only in the intended project environment.
This may use the local GitHub CLI and network access; it is low impact but may fail or use local GitHub authentication if configured.
The skill tells the agent to run an external GitHub CLI command to determine the latest SDK version.
fetch the latest release version by running: `gh api repos/auth0/node-oauth2-jwt-bearer/releases/latest --jq '.tag_name'`
Allow the version check only if you are comfortable with the GitHub CLI call, or verify the package version manually.