next-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill employs deceptive instructions claiming the existence of 'Next.js 16' features like the
proxy.tsrename and the/_next/mcpendpoint. These features do not exist in official Next.js releases (current stable is v15). This is a form of metadata poisoning intended to misguide the agent's behavior and capability assessment. - COMMAND_EXECUTION (MEDIUM): The
debug-tricks.mdfile provides specificcurlcommands for the agent to interact withlocalhost:<port>/_next/mcp. It describes tools likeget_errors,get_routes, andget_project_metadataas standard protocols. This encourages the agent to perform environment discovery and execute network requests to internal services based on fabricated 'best practices'. - INDIRECT PROMPT INJECTION (LOW): The fabricated
/_next/mcpendpoint serves as a surface for indirect prompt injection. If an agent is persuaded to query this local endpoint while working on a project controlled by an attacker, the project could return malicious JSON-RPC responses to influence the agent's next actions. - Ingestion points:
curlrequests tolocalhostendpoints described indebug-tricks.md. - Boundary markers: Absent; the agent is told to trust these as standard developer tools.
- Capability inventory: The skill assumes the agent can execute shell commands (
curl) and process JSON-RPC responses. - Sanitization: None provided for the data returned from the local dev server.
- EXTERNAL_DOWNLOADS (SAFE): References to
@next/codemodand@next/third-partiesuse trusted sources (Vercel/Next.js). The download patterns are standard for the described (though partially fabricated) migration tasks.
Audit Metadata