Better Auth
v0.1.0Self-hosted auth for TypeScript/Cloudflare Workers with social auth, 2FA, passkeys, organizations, RBAC, and 15+ plugins. Requires Drizzle ORM or Kysely for D1 (no direct adapter). Self-hosted alternative to Clerk/Auth.js. Use when: self-hosting auth on D1, building OAuth provider, multi-tenant SaaS, or troubleshooting D1 adapter errors, session caching, rate limits, Expo crashes, additionalFields bugs.
⭐ 1· 2k·11 current·12 all-time
byVeera@veeramanikandanr48
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description and included files (Worker examples, Drizzle/Kysely adapters, schema, setup scripts) align with a self-hosted auth toolkit for Cloudflare D1. However, the registry metadata lists no required env vars or primary credential even though examples and scripts clearly require secrets (BETTER_AUTH_SECRET, OAuth client secrets), D1 bindings, and Cloudflare tokens. The omission of those required credentials in the metadata is an incoherence.
Instruction Scope
SKILL.md and example files instruct the agent to create/modify project files, run CLI commands (npm/pnpm, npx, wrangler), generate migrations, and call wrangler secret put. Those actions are within scope for deploying auth to Workers/D1, but the allowed-tools list (Bash, Read, Write, Edit, Glob, Grep) gives the agent permission to edit files and run shell commands — so you should explicitly review scripts (e.g., scripts/setup-d1-drizzle.sh) and the exact commands the agent will execute. The instructions reference many env vars and Cloudflare credentials that are not declared in the skill metadata.
Install Mechanism
There is no install spec that downloads arbitrary binaries; the skill is instruction‑plus‑examples and includes code/templates and a setup script. That is lower risk than a remote download/install, but included shell scripts will write files and run local CLIs when invoked — review them before execution.
Credentials
The skill's metadata declares no required environment variables, yet code and instructions clearly expect multiple secrets and bindings (BETTER_AUTH_SECRET, BETTER_AUTH_URL, GOOGLE_CLIENT_ID/SECRET, GITHUB_CLIENT_ID/SECRET, CLOUDFLARE_DATABASE_ID/ACCOUNT_ID/TOKEN, KV bindings like SESSIONS_KV, etc.). Requesting Cloudflare account tokens and OAuth client secrets is proportionate for deploying this service, but the metadata omission is misleading and increases risk if an agent were granted broad filesystem/CLI access without you knowing what secrets it will reference.
Persistence & Privilege
The skill is user-invocable, not always:true, and does not request persistent platform privileges. It includes scripts to create and apply migrations and to set wrangler secrets, which is expected for deploying to Cloudflare but does not itself indicate elevated or permanent platform privilege beyond the normal actions an operator performs.
What to consider before installing
This skill appears to be a legitimate set of templates and instructions for deploying a self‑hosted auth system on Cloudflare Workers/D1, but the skill metadata does not list the many environment variables and cloud credentials the examples and scripts actually use. Before installing or letting the agent run anything: 1) Inspect the included scripts (e.g., scripts/setup-d1-drizzle.sh) and SKILL.md end-to-end — do not run them blind. 2) Verify the skill source (homepage/repository) and prefer official upstream packages (better-auth repo/docs) before installing npm packages. 3) When running setup, use a low‑privilege Cloudflare token or a development account (do not supply production account tokens or OAuth secrets until you audit the code). 4) Search for any commands that upload data or echo secrets to external endpoints; the examples show placeholder console.log of tokens — ensure those are not used in production. 5) If you plan to let the agent perform edits or run shell commands, restrict its scope: run in an isolated/local environment and review generated diffs and commands before applying. The skill is coherent with its stated purpose but metadata omissions and the ability to run shell commands warrant caution.Like a lobster shell, security has layers — review code before you run it.
latestvk9799xy83de9n96xsy11v9hpeh809qzf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.