clerk-expo-patterns
Pass
Audited by Gen Agent Trust Hub on May 3, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill implements standard authentication flows using the official @clerk/expo SDK.
- [SAFE]: For session persistence, the skill recommends and provides templates for expo-secure-store, ensuring that authentication tokens are stored in the device's encrypted keychain rather than unencrypted storage like AsyncStorage.
- [SAFE]: Documentation includes clear security boundaries, specifically advising that user.update() should only be used for non-sensitive 'unsafeMetadata' and that verified data should be managed via server-side SDKs.
- [SAFE]: Network operations are directed towards well-known and trusted services, including Clerk's authentication endpoints and Expo's official push notification API.
- [SAFE]: Environment variable handling follows Expo's security model, using the EXPO_PUBLIC_ prefix for publishable keys intended for client-side use, while keeping sensitive secrets out of the mobile bundle.
Audit Metadata