Azure Auth
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Applications built from this template can keep sign-in state across browser sessions and read basic Microsoft profile information.
The template persists MSAL auth state in browser storage/cookies and requests Microsoft profile/Graph User.Read scopes. This is expected for SSO, but it means the resulting app handles identity data and authentication state.
cacheLocation: "localStorage"; storeAuthStateInCookie: true; scopes: ["openid", "profile", "email", "User.Read"]
Use least-privilege scopes, consider sessionStorage if persistent browser login is not needed, and maintain strong XSS protections because browser storage can be exposed by frontend vulnerabilities.
If app code passes an unintended domain or user-controlled URL, an API bearer token could be sent to the wrong service.
The authenticated fetch helper attaches a bearer token to the caller-supplied URL. The examples use backend API paths, so this is purpose-aligned, but the caller must avoid untrusted or external URLs.
headers.set("Authorization", `Bearer ${token}`); return fetch(url, { ...options, headers });Restrict the helper to same-origin or allowlisted API base URLs, and do not pass user-controlled URLs into authenticated fetch calls.