clerk-debug-bundle

The Clerk Debug Bundle is coherent with its stated purpose of diagnosing Clerk issues, and it relies on legitimate Clerk/Next.js tooling. However, it introduces notable security risks: it reads and surfaces sensitive credentials (secret keys and partial publishable keys), decodes and displays JWT payloads on the client, and logs sensitive headers when debugging is enabled. These data exposure points mean the tool is potentially dangerous if CLERK_DEBUG is left enabled in production or access to logs/UI is not strictly controlled. It is best treated as SUSPICIOUS for production use and requires hardening (avoid printing secrets, avoid exposing token payloads in UI, restrict debug logging to secure environments). Overall risk isMedium.