moai-baas-clerk-ext

This skill's stated purpose (Clerk integration, WebAuthn, org management, M2M tokens, Context7 analysis) aligns with the code examples. No active malicious payloads, obfuscated code, or download-execute supply-chain patterns were found. The primary security concern is misuse of privileged secrets: CLERK_SECRET_KEY is referenced in code examples that are colocated with client-side components, creating a high risk that inexperienced developers could accidentally bundle or expose secrets to browsers. That leakage would enable account takeover, invitation creation, token generation, and other privileged actions. Recommendation: clearly separate server-only examples, remove Authorization: Bearer usage from client-side examples, and show a secure server endpoint pattern (server uses secret, client calls server without secret). Treat this skill as useful but potentially dangerous if its examples are copied verbatim into client builds. Reviewers should mark this as security-vulnerable until examples are fixed to enforce server-only secret handling.