auth
Facilitates OAuth sessions and identity management using Epicenter's auth packages for seamless integration in applications.
Install this skill
Security score
The auth skill was audited on Jun 3, 2026 and we found 29 security issues across 2 threat categories, including 18 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 336 | const response = await auth.fetch(`${EPICENTER_API_URL}/api/ai/chat`, { |
Access to system keychain/keyring
| 37 | Epicenter uses Better Auth for auth-server machinery, OAuth for the app/resource boundary, and AuthState{ownerId,keyring} for workspace boot. |
Access to system keychain/keyring
| 44 | the per-owner workspace keyring, and returns `ApiSessionResponse`. |
Access to system keychain/keyring
| 138 | keyring: Keyring; |
Access to system keychain/keyring
| 143 | keyring: Keyring; |
Access to system keychain/keyring
| 158 | `AuthState` arms carry `ownerId` and `keyring` directly. There is no nested |
Access to system keychain/keyring
| 160 | by surfaces that display it, not held in state. `ownerId` and `keyring` are |
Access to system keychain/keyring
| 163 | id picks the right local storage partition and the keyring can still decrypt |
Access to system keychain/keyring
| 194 | keyring: Keyring, |
Access to system keychain/keyring
| 203 | keyring: Keyring, |
Access to system keychain/keyring
| 216 | keyring -> local decrypt (offline-useful) |
Access to system keychain/keyring
| 220 | `userId` / `ownerId` / `keyring` remain useful offline: they select and decrypt |
Access to system keychain/keyring
| 228 | Refresh failure must preserve the cached `ownerId` and `keyring` so local |
Access to system keychain/keyring
| 249 | Unavailable (offline) -> no bearer; local decrypt continues via cached keyring |
Access to system keychain/keyring
| 254 | keyring is cached. A different-`ownerId` `/api/session` response wipes the |
Access to system keychain/keyring
| 255 | local cell (same-owner guard); a changed keyring rewrites the cell. |
Access to system keychain/keyring
| 415 | keyring: () => Keyring; |
Access to system keychain/keyring
| 431 | keyring: signedIn.keyring(), |
Access to system keychain/keyring
| 438 | keyring: signedIn.keyring(), |
Access to system keychain/keyring
| 462 | `keyring` is a callback because the same-owner keyring can rotate |
Access to system keychain/keyring
| 464 | `auth.state.keyring`. `server` is the API host alone (local-storage partition |
Access to system keychain/keyring
| 482 | returns `{ user: { id, email }, ownerId, keyring }` where the keyring comes from |
Access to system keychain/keyring
| 483 | `deriveKeyring(ownerId)`. |
Access to system keychain/keyring
| 519 | mismatch with `OwnerMismatch` (403). The keyring derivation's HKDF label IS the |
Access to system keychain/keyring
| 520 | `ownerId`: personal owners get a per-user keyring, every member of a shared |
Access to system keychain/keyring
| 521 | deployment shares one keyring. |
Access to system keychain/keyring
| 537 | `keyring` available. |
Access to system keychain/keyring
| 546 | `encryptionKeys` / `EncryptionKeys`. They do not exist. The term is `keyring` |
Access to system keychain/keyring
| 547 | / `Keyring`, and workspace binding goes through `createSession` / `SignedIn`. |