supabase-clerk-sync
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS] (SAFE): The scripts and templates perform network requests only to trusted and expected domains necessary for the integration, specifically
api.clerk.comfor user data andclerk.accounts.devfor JWKS verification. Imports in Deno/TypeScript templates use standard registries likedeno.landandesm.sh. - [COMMAND_EXECUTION] (SAFE): Bash scripts included in the skill (e.g.,
configure-rls.sh,setup-sync.sh) are used for local configuration and file generation based on user-provided inputs. No arbitrary command execution or piping of remote content to a shell was found. - [CREDENTIALS_UNSAFE] (SAFE): The documentation and templates consistently emphasize using environment variables for sensitive keys (
CLERK_SECRET_KEY,SUPABASE_SERVICE_ROLE_KEY) and provide warnings against hardcoding secrets. - [DATA_EXFILTRATION] (SAFE): Network operations are confined to the official APIs of Clerk and Supabase. Data movement (e.g., in
sync-users.sh) is restricted to the user's own instances as defined by their configuration. - [INDIRECT_PROMPT_INJECTION] (SAFE): The skill ingests untrusted data from Clerk webhooks. 1. Ingestion points:
templates/webhook-sync.tsandtemplates/edge-function-webhook.ts. 2. Boundary markers: Svix signature verification is implemented via thewebhook.verify()method. 3. Capability inventory: Writing to Supabase database viasupabase.from('users').upsert(...). 4. Sanitization: Standard field mapping is performed. The implementation follows security best practices and is the primary purpose of the skill.
Audit Metadata