Better Auth
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent Better Auth setup guide, but it includes unsafe auth code patterns and production-affecting commands that should be reviewed before use.
Install only if you are comfortable reviewing auth code before it is applied. Restrict CORS to trusted origins, enforce admin role checks, remove verification-token logging, and require explicit approval before remote migrations or production changes.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied into an app, untrusted websites may be allowed to make credentialed requests to the auth API, depending on cookie settings and browser behavior.
The setup template reflects any request Origin while allowing credentials on auth routes, which is an unsafe default for authentication endpoints.
app.use('/api/auth/*', cors({
origin: (origin) => origin,
credentials: true,
}));Replace this with an explicit allowlist of trusted frontend origins and avoid reflecting arbitrary origins when credentials are enabled.
If used as-is, any authenticated user could potentially access an endpoint intended only for admins and list user data.
The reference labels the route as admin-only but comments out the authorization check before returning the user list.
// if (user.role !== 'admin') {
// return c.json({ error: 'Forbidden' }, 403)
// }
// Fetch all users
const users = await db.query.user.findMany({Do not copy this route without enforcing a real role/permission check before querying or returning user records.
An agent following the setup could alter a remote database schema or production environment before the user has reviewed the migration.
The default setup flow includes applying remote migrations, which can change a production Cloudflare D1 database, without an explicit confirmation, backup, or rollback checkpoint.
npm run db:generate npm run db:migrate:local npm run db:migrate:remote
Require explicit user approval before remote migrations or deployments, show the migration diff, run locally first, and ensure backups/rollback plans exist.
Verification tokens could be exposed in application logs, allowing unintended account verification or account-flow abuse if logs are accessible.
The reference implementation logs email verification URLs and tokens, which are sensitive authentication materials.
console.log(`Verification email for ${user.email}: ${url}`);
console.log(`Verification code: ${token}`);Use a real email provider for verification links and avoid logging tokens except in clearly isolated local-development code.
The D1 database and backups will contain high-value authentication data that must be protected.
The schema stores OAuth tokens, ID tokens, and password hashes, which is expected for an authentication system but still sensitive.
accessToken: text(), refreshToken: text(), idToken: text(), password: text(),
Restrict database access, avoid exposing logs/backups, rotate secrets when needed, and consider encryption or minimization for stored provider tokens.
Users have less registry-level provenance information for validating the skill and its examples.
The registry metadata does not provide a source or homepage, even though the skill contains code templates and setup commands.
Source: unknown Homepage: none
Verify the referenced repository/package documentation independently before letting the agent apply setup commands to a real project.