nextjs-devtools

[Skill Scanner] Credential file access detected All findings: [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] [HIGH] data_exfiltration: Credential file access detected (DE002) [AITech 8.2.3] No explicit malicious behavior is visible in the provided documentation alone. The capabilities described (reading routes, components, build info, next.config.js) align with the stated purpose. However, there is a supply-chain and data-exfiltration risk because the tool is invoked via npx next-devtools-mcp@latest (runtime fetch from npm) and the architecture references an MCP server/client model without clarifying whether data ever leaves the developer's machine. Recommendation: treat this as moderately risky until the package source code or repository is reviewed; prefer pinned versions, verify package repository and integrity, and confirm the server is local-only before sending confidential project files to it. LLM verification: Functional behavior appears consistent with the stated purpose (inspecting Next.js projects). The main security concern is the workflow that runs remote, unpinned code via npx with filesystem and network capability and lacks transparency about endpoints or file access whitelist. This creates a supply-chain/data-exfiltration risk rather than immediate evidence of malware. Recommended actions: audit the package source (repo and published package), pin to a known-good release or vendor-provided che