nextjs-authentication
Warn
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill presents an attack surface for indirect prompt injection via untrusted data processing.\n
- Ingestion points: Login forms in app/login/page.tsx and OAuth profile data (GitHub, Google, Discord) fetched during the sign-in flow.\n
- Boundary markers: Includes middleware route protection and session checks in server actions, but lacks explicit sanitization steps for user-controlled strings.\n
- Capability inventory: Includes database mutations (db.todo.create), session management, and redirection logic.\n
- Sanitization: No explicit sanitization or strict schema validation for input data is demonstrated in the code examples.\n- [COMMAND_EXECUTION]: Requires shell command execution for environment setup and secret key generation.\n
- Evidence: Instructions require running npm install and generating an AUTH_SECRET using openssl in the Bash terminal.\n- [EXTERNAL_DOWNLOADS]: Fetches dependencies and configurations from external registries and services.\n
- Evidence: Downloads packages like next-auth, bcryptjs, and ORM adapters from the NPM registry. Fetches token refreshes from oauth2.googleapis.com.\n- [CREDENTIALS_UNSAFE]: Promotes configurations and utility functions that weaken the security of the authentication implementation.\n
- Evidence: Multiple configuration examples (GitHub and Google providers) use allowDangerousEmailAccountLinking: true, which is documented by the library as a risk for account takeover.\n
- Evidence: The generateToken utility function in references/authjs-setup.md uses Math.random(), which is not cryptographically secure and is unsuitable for generating authentication tokens.
Audit Metadata