Sr Next Clerk Expert

PassAudited by ClawScan on May 10, 2026.

Overview

The provided artifacts are a coherent instruction-only Clerk/Next.js guide; its auth, billing, and webhook patterns are disclosed and purpose-aligned, though they involve real provider secrets and user data.

This skill appears safe as an instruction-only Clerk/Next.js guide. Before using it, confirm you are comfortable giving your agent auth-integration guidance involving Clerk secrets, optional Stripe credentials, and webhook/database user sync patterns. Keep secrets in environment variables, validate billing inputs server-side, and test webhook behavior carefully in a non-production environment first.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

If these secrets are mishandled, exposed, or pasted into an unsafe place, an attacker could affect authentication or billing-related operations.

Why it was flagged

The skill asks the user to work with Clerk and optional Stripe/webhook secrets. That is expected for the stated auth and billing integrations, but these credentials provide delegated authority over authentication and billing services.

Skill content

env:
  required:
    - CLERK_SECRET_KEY
    - NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
  optional:
    - CLERK_WEBHOOK_SECRET
    - STRIPE_SECRET_KEY

Recommendation

Use project environment variables, avoid pasting secrets into chat, prefer test keys during development, and rotate any key that may have been exposed.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

A poorly adapted implementation could allow unintended Stripe prices or products to be used when creating checkout sessions.

Why it was flagged

The Stripe checkout example passes a request-provided priceId into a Stripe API call. This is a common billing pattern, but server-side validation is important because it touches financial workflow configuration.

Skill content

const { priceId } = await req.json();
...
line_items: [{ price: priceId, quantity: 1 }],

Recommendation

Validate priceId against a server-side allowlist, rate-limit checkout creation, and ensure the authenticated user is associated with the correct Stripe customer.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Incorrect webhook configuration could cause user records to be created, updated, or deleted unexpectedly.

Why it was flagged

The skill documents a Clerk-to-app webhook flow for user lifecycle data. It includes signature verification, which is good, but the flow can still update or delete local user records based on external events.

Skill content

Select events: `user.created`, `user.updated`, `user.deleted`
...
evt = wh.verify(body, {
  "svix-id": svix_id,
  "svix-timestamp": svix_timestamp,
  "svix-signature": svix_signature,
}) as WebhookEvent;

Recommendation

Keep signature verification, limit subscribed events to what is needed, make handlers idempotent, prefer soft-delete where appropriate, and audit webhook failures.