nextjs
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [Command Execution] (LOW): The skill enables the Bash tool for running development and build commands. While necessary for its primary purpose, it provides a high-privilege environment for command execution.
- [Data Exposure] (LOW): The instructions explicitly mention sensitive file paths like .env.local and environment variables such as DATABASE_URL. Although these are standard Next.js practices, their exposure to tools like Read and Write presents a theoretical risk.
- [Indirect Prompt Injection] (LOW): As a code-generation utility, the skill is susceptible to indirect prompt injection where untrusted user input could be used to generate malicious scripts or configuration. Ingestion points: User requests for generating specific Next.js routes, components, or API logic. Boundary markers: Absent; the skill does not define delimiters for user-provided data. Capability inventory: Bash, Read, Write, Edit, Glob, Grep. Sanitization: Absent; no instructions are provided for sanitizing user input before it is used in code generation.
Audit Metadata