ClawHub
Back to skill

Security audit

Acul Screen Generator

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Auth0 login-screen generator, but users should harden the generated JavaScript examples before production.

Install only if you intend to build or modify Auth0 ACUL screens. Prefer dev or staging tenants, review the active Auth0 tenant before running connected mode, do not commit exported ACUL config files, and sanitize or DOM-build Vanilla JS social buttons before using generated code in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Low
Confidence
88% confidence
Finding
The documentation encourages use of commands that write tenant ACUL configuration to local JSON files but does not warn that these exports may contain sensitive tenant metadata or implementation details. In a code-generation skill focused on Auth0 login customization, users are likely to copy these commands directly, increasing the chance that exported files are left unprotected, committed to source control, or shared inadvertently.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The JavaScript example builds HTML with string interpolation using provider-controlled fields like `conn.displayName`, `conn.name`, and especially `conn.iconUrl` directly inside attributes and element content. If any of these values contain malicious characters or a hostile URL, this can lead to DOM-based XSS, attribute injection, or loading attacker-controlled external content in a login surface, which is particularly sensitive.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
assets/js-templates/login-password.js:106