better-auth
Self-hosted auth for TypeScript/Cloudflare Workers with social auth, 2FA, passkeys, organizations, RBAC, and 15+ plugins. Requires Drizzle ORM or Kysely for D1 (no direct adapter). Self-hosted alternative to Clerk/Auth.js. Use when: self-hosting auth on D1, building OAuth provider, multi-tenant SaaS, or troubleshooting D1 adapter errors, session caching, rate limits, Expo crashes, additionalFields bugs.
Security
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.80). The skill's required workflow includes social OAuth and generic-OAuth discovery/userinfo fetches (see SKILL.md socialProviders sections and references/cloudflare-worker-drizzle.ts / references/cloudflare-worker-kysely.ts) which ingest public third-party user profile and discovery JSON (user-generated/untrusted) and use that data to create sessions and drive authorization flows, so external content can materially influence agent behavior.
W009: Direct money access capability detected (payment gateways, crypto, banking)
What this means
The skill is specifically designed for direct financial operations, giving the agent the ability to move money or execute financial transactions — such as payment processing, cryptocurrency operations, banking integrations, or market order execution.
Why it was flagged
Direct money access detected (high risk: 1.00). The skill explicitly includes a "Stripe" plugin and repeatedly references Stripe-specific payment/subscription functionality (e.g., "Stripe: Payment and subscription management", "Stripe enhancements - Flexible subscription lifecycle, `disableRedirect` option", and "Stripe" listed under Advanced Plugins). Stripe is a payment gateway; this is a specific financial integration (not a generic HTTP or browser tool). Because it exposes payment/subscription management capabilities tied to a concrete gateway, it grants direct financial execution authority.
- Repository
- jezweb/claude-skills
- Commit
fa91c34
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.