Nextjs

Security checks across malware telemetry and agentic risk

Overview

This is a simple Next.js guidance skill with no executable code, credential access, persistence, or hidden behavior in the installed artifact.

This skill appears low risk to install. Treat generated Next.js code and the external SkillBoss setup-guide link as normal development inputs: review commands, dependencies, deployments, and any API-key requests before running or publishing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The usage guidance is broad and underspecified: 'developer workflow work for developers, technical founders, product engineers' does not clearly bound what the skill should or should not be used for. In an automated skill-selection or invocation system, this can cause the skill to be triggered for loosely related tasks, leading to inappropriate code-generation or workflow actions in contexts the skill was not designed to handle safely.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal