next-upgrade

This skill is a legitimate upgrade guide for Next.js and its actions (reading package.json, fetching official docs, running Next codemods, and installing updated packages) are consistent with its stated purpose. The primary security concerns are supply-chain: use of npx @next/codemod@latest and npm install ...@latest executes code fetched from the npm registry and modifies local files. These are expected for this task but carry risk if run unreviewed. Recommended mitigations: pin codemod and package versions, run codemods on a feature branch or after committing changes, review diffs before applying, and prefer installing audited package versions rather than unpinned @latest. No direct evidence of malicious behavior or obfuscation is present in the provided instructions.