clerk-backend-api
Pass
Audited by Gen Agent Trust Hub on Apr 29, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill fetches OpenAPI specification files from the vendor's official GitHub repository (
https://raw.githubusercontent.com/clerk/openapi-specs/). These files are used for endpoint discovery and are considered trusted resources given the skill's purpose and authorship. - [COMMAND_EXECUTION]: Local scripts (e.g.,
scripts/extract-tags.js,scripts/extract-tag-endpoints.sh) are used to process the downloaded OpenAPI data. The remote content is passed to these scripts via standard input and is treated as data to be parsed, not as executable code. This is a standard and safe data processing pattern. - [CREDENTIALS_UNSAFE]: The file
scripts/execute-request.shcontains logic that searches parent directories for.envor.env.localfiles to automatically load theCLERK_SECRET_KEY. While accessing environment files is a sensitive action, the skill's primary instructions explicitly direct the agent to avoid using this script and instead require manual input or environment configuration of keys for directcurlcommands.
Audit Metadata