Sr Next Clerk Expert

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: sr-next-clerk-expert Version: 1.0.1 The skill bundle provides comprehensive guidance for integrating Clerk authentication into Next.js applications, including patterns for Convex and Stripe. It emphasizes security best practices, such as proper secret management, webhook signature verification, and warns against enabling debug mode in production due to sensitive token leakage. All code snippets and instructions are aligned with the stated purpose and do not exhibit any signs of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts. The use of environment variables like `CLERK_SECRET_KEY` and `STRIPE_SECRET_KEY` is for legitimate API interactions, not unauthorized access or exfiltration.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

If these secrets are mishandled, exposed, or pasted into an unsafe place, an attacker could affect authentication or billing-related operations.

Why it was flagged

The skill asks the user to work with Clerk and optional Stripe/webhook secrets. That is expected for the stated auth and billing integrations, but these credentials provide delegated authority over authentication and billing services.

Skill content

env:
  required:
    - CLERK_SECRET_KEY
    - NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY
  optional:
    - CLERK_WEBHOOK_SECRET
    - STRIPE_SECRET_KEY

Recommendation

Use project environment variables, avoid pasting secrets into chat, prefer test keys during development, and rotate any key that may have been exposed.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

A poorly adapted implementation could allow unintended Stripe prices or products to be used when creating checkout sessions.

Why it was flagged

The Stripe checkout example passes a request-provided priceId into a Stripe API call. This is a common billing pattern, but server-side validation is important because it touches financial workflow configuration.

Skill content

const { priceId } = await req.json();
...
line_items: [{ price: priceId, quantity: 1 }],

Recommendation

Validate priceId against a server-side allowlist, rate-limit checkout creation, and ensure the authenticated user is associated with the correct Stripe customer.

NoteHigh Confidence

ASI07: Insecure Inter-Agent Communication

What this means

Incorrect webhook configuration could cause user records to be created, updated, or deleted unexpectedly.

Why it was flagged

The skill documents a Clerk-to-app webhook flow for user lifecycle data. It includes signature verification, which is good, but the flow can still update or delete local user records based on external events.

Skill content

Select events: `user.created`, `user.updated`, `user.deleted`
...
evt = wh.verify(body, {
  "svix-id": svix_id,
  "svix-timestamp": svix_timestamp,
  "svix-signature": svix_signature,
}) as WebhookEvent;

Recommendation

Keep signature verification, limit subscribed events to what is needed, make handlers idempotent, prefer soft-delete where appropriate, and audit webhook failures.