clerk-securitylisted
Install: claude install-skill hlsitechio/claude-skills-security
# Clerk Authentication Security Audit
Audit a Clerk-powered application for misconfigurations and integration vulnerabilities. Clerk handles the heavy auth lifting; the security surface is mostly integration.
## When this skill applies
- Reviewing Clerk middleware and route protection
- Auditing Clerk webhook handlers
- Reviewing publishable vs secret key handling
- Checking organization / role configuration
- Auditing custom session claims and JWT templates
## Workflow
Follow `../_shared/audit-workflow.md`.
### Phase 1: Stack detection
```bash
grep -E '"@clerk/' package.json
# Look for SDK
grep -E '"(@clerk/nextjs|@clerk/clerk-sdk-node|@clerk/backend|@clerk/clerk-react|@clerk/clerk-expo)":' package.json
```
### Phase 2: Inventory
```bash
# Middleware (Next.js)
find . -name 'middleware.ts' -o -name 'middleware.js' | xargs grep -l 'clerk' 2>/dev/null
# Server-side calls
grep -rn 'clerkClient\|auth()\|currentUser()\|getAuth(' src/ app/ | head
# Webhook handlers
grep -rn 'svix\|verifyWebhook\|WebhookEvent' src/ app/ | head
# Env vars
grep -rn 'CLERK_' .env* 2>/dev/null
```
### Phase 3: Detection — the checks
#### Key handling
Clerk has multiple keys:
- `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY` (or equivalent) — public, ships to client. Safe.
- `CLERK_SECRET_KEY` — server-only. Never in `NEXT_PUBLIC_` / `VITE_` / similar prefix.
- `CLERK_WEBHOOK_SECRET` (svix-style) — server-only. Used to verify webhooks.
- **CLK-KEY-1** Secret key NOT prefixed with `NEXT_PUBLIC_` / `VI