secondme-nextjs

[Skill Scanner] Credential file access detected No explicit malware or obfuscated malicious code was found in the skill/instructions. However, the specification contains multiple security-sensitive design choices that raise a moderate supply-chain/security risk: writing long-lived secrets to disk, storing OAuth tokens in plaintext in the DB, relaxing OAuth state validation (weakening CSRF protection), and proxying all local routes to an upstream API without explicit filtering. These choices are plausible for a legitimate scaffolding tool but are security-sensitive and must be addressed in generated code (encrypt/rotate secrets, maintain CSRF protections or require explicit consent for relaxed behavior, sanitize upstream responses, pin dependencies, and audit the third-party 'frontend-design' skill). Overall this is not malware, but it is a moderately risky generator that requires secure implementation and developer attention. LLM verification: No explicit malicious payload or obfuscated malware is present in the skill text. The skill's requested capabilities (reading state.json, writing .env.local, creating Prisma models to store tokens, and proxying local routes to upstream APIs) are coherent with its stated purpose but carry notable supply-chain and configuration risks: unpinned dependency installs, writing and using raw client_secret and DATABASE_URL from state.json, proxying all local API traffic to whichever base_url is provided