The Agent Skills Directory

[REMOTE_CODE_EXECUTION] (HIGH): The file references/setup.md provides a bash script that executes curl -sSfL https://raw.githubusercontent.com/auth0/auth0-cli/main/install.sh | sh. This is a piped remote execution pattern. Because the organization auth0 is not on the list of Trusted External Sources, this pattern is classified as a high-severity security risk, potentially allowing arbitrary code execution from a remote source.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill directs users to download the Auth0 CLI via a shell script and install the @auth0/nextjs-auth0 package via npm. These actions introduce external dependencies into the environment. The use of a piped script instead of a verified package manager for the CLI installation increases the risk of supply chain attacks.
[COMMAND_EXECUTION] (MEDIUM): The setup script in references/setup.md automates the creation of Auth0 applications using the auth0 apps create command. It subsequently uses shell utilities like grep and cut to parse sensitive output, including client_secret, which is then written to a local .env.local file.
[CREDENTIALS_UNSAFE] (LOW): While the skill correctly advises users to add .env.local to .gitignore, the automated setup process handles raw secrets (AUTH0_CLIENT_SECRET, AUTH0_SECRET) in plaintext within the shell environment, creating a brief window of exposure in process lists or shell history.

auth0-nextjs