auth0-authentication
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill suggests running 'npx @auth0/auth0-mcp-server init --client cursor'. This command downloads and executes a package from the npm registry. While the '@auth0' scope is reputable, using npx without a specific version represents an external dependency download.
- [REMOTE_CODE_EXECUTION] (LOW): The npx command inherently downloads and executes code from a remote source.
- [PROMPT_INJECTION] (LOW): The skill describes handling untrusted user data (e.g., event.user.email) within Auth0 Actions.
- Ingestion points: event.user and event.secrets in SKILL.md.
- Boundary markers: Absent in provided code snippets.
- Capability inventory: api.access.deny, api.idToken.setCustomClaim, api.authentication.challengeWithAny.
- Sanitization: The snippets do not demonstrate sanitization of user-provided data before using it in claims or challenges.
- [SAFE]: All credentials used in the examples (AUTH0_CLIENT_ID, AUTH0_CLIENT_SECRET) are placeholders (e.g., 'your-client-id'), following best practices.
Audit Metadata