moai-baas-clerk-ext

The skill narrative and code samples present a coherent enterprise authentication platform concept with Context7 integration and WebAuthn. However, there are critical security concerns: privileged credentials (CLERK_SECRET_KEY) appear to be used in frontend/client-side code to call Clerk APIs, creating a high-risk exposure and misalignment with secure production architectures. Organization invitation and WebAuthn flows exacerbate risk if client-side secrets are trusted for authorization. Recommendation: remove secrets from client code, migrate privileged actions to a secure backend that issues short-lived tokens with proper RBAC, and implement server-side validation and audit logging for sensitive operations. Until remediation, treat as suspicious for production use with elevated security risk.