clerk-auth

skills-sh:jezweb_claude-skills__clerk-auth

View source

75/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

75/100

CRITICAL 1

LOW 1

Findings (2)

CRITICAL

Text combines credential access with network transmission NLP_CRED_EXFIL_COMBO

exfiltration L760

Text combines credential access with network transmission

createRouteMatcher
(
[
'/api/webhooks/clerk(.*)'
,
// Clerk webhooks are public
]
)
clerkMiddleware
(
(
auth
,
req
)
=>
{
if
(
!
isPublicRoute
(
req
)
)
{
auth
.
protect
(
)
}
}
)
UI Components Quick ...

FIX

Remove the combination of credential access and network transmission from the tool. If the tool needs credentials, access them via a secrets manager and never transmit them externally.

FP?

Likely FP if the tool legitimately uses credentials for API authentication (e.g., reading an API key to make authenticated requests to the same service).

LOW

Mutable GitHub raw content reference THIRDPARTY_002

third-party-content L1161

Detects references to raw.githubusercontent.com on mutable branches like main/master

github.com/clerk/javascript/blob/main/packages/backend/CHANGELOG.md

FIX

Replace GitHub raw.githubusercontent.com references with pinned commit SHAs instead of branch names (e.g., /commit-sha/file instead of /main/file). Branch references are mutable.

FP?

Likely FP if the raw GitHub URL points to a versioned release tag in a well-known repository, though even tags are technically mutable.