nextjs-16-specialist
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Remote Code Execution] (HIGH): The skill instructs the user or agent to execute unverified remote code via
npx -y next-devtools-mcp@latest. Runningnpxwith the@latesttag from an unverified source allows the package owner to execute arbitrary code on the host machine. - Evidence: Found in
SKILL.mdunder the 'Next.js DevTools MCP' section. - [Metadata Poisoning] (MEDIUM): The skill claims to support 'Next.js 16' and 'React 19.2' with a release date of 'November 2025'. As of current standards, these versions do not exist. This misleading metadata can cause an AI agent to attempt to implement non-existent APIs (e.g.,
cacheComponents: trueorproxy.ts) or install non-existent packages, leading to system instability. - [Indirect Prompt Injection] (HIGH): The skill provides templates for handling external data (Firebase Storage uploads and Firestore database writes) and includes write capabilities via Server Actions without providing comprehensive sanitization logic.
- Ingestion points:
uploadImageinreferences/advanced-patterns.md,signUpActioninreferences/setup-guide-detailed.md. - Boundary markers: Absent. There are no instructions for the agent to treat user-provided data as untrusted when implementing these templates.
- Capability inventory:
setDoc(Firestore write),uploadBytes(Storage write), andnpx(CLI execution). - Sanitization: Inconsistent; while one example uses Zod, others allow direct interpolation of user-controlled fields like
displayNameinto database documents. - [External Downloads] (LOW): Instructs the download of numerous packages. While most are standard (e.g.,
firebase,@mui/material), the presence of unverified packages likenext-devtools-mcpincreases the risk profile.
Recommendations
- AI detected serious security threats
Audit Metadata