clerk-incident-runbook

SUSPICIOUS. The stated purpose is a Clerk incident runbook, but the granted shell permissions are much broader than necessary for visible documentation and could enable arbitrary downloads or package execution. No malicious exfiltration or fake Clerk endpoints are shown, yet the hidden implementation guide and wildcard npm/curl access make the skill higher-risk than a normal procedural runbook.

The code is an operational runbook with example scripts for managing Clerk incidents. It does not contain signs of malware or obfuscated malicious payloads. However, it includes high-risk administrative operations (an environment-driven authentication bypass, bulk upserts, session revocation, and account bans) that, if misconfigured or executed by an unauthorized actor, could cause serious security and availability issues. These are legitimate but dangerous features and should be protected with strict controls and safeguards.