React Nextjs Generator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to be a real Next.js project generator, but its file-generation paths are not safely confined and it runs npm tooling at runtime.
Install only if you are comfortable with it creating files and running npm tooling locally. Use a fresh, isolated output folder, review generated paths before running the project, and prefer a version that validates routes and uses package-relative script paths.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed requirements document could cause the generator to write files in unexpected local folders, not just inside the generated app.
Page routes are derived from the requirements document and joined directly into filesystem paths; '..' path segments are not rejected, so generation can create or overwrite page.tsx files outside the intended project directory.
const routePath = page.route.startsWith('/') ? page.route.slice(1) : page.route;
const pageDir = routePath === '' ? pagesDir : path.join(pagesDir, ...routePath.split('/'));
...
await fs.promises.writeFile(path.join(pageDir, 'page.tsx'), pageContent);Normalize and validate all generated paths, reject absolute paths and '..' segments, verify resolved paths stay under the project directory, and ask before overwriting existing files.
Running the skill may fetch and execute third-party package code from npm, so results can change over time and depend on network/package integrity.
The generator downloads and runs npm tooling and installs dependencies at runtime; this is expected for a Next.js generator, but it depends on the current npm package ecosystem.
npx create-next-app@latest . --typescript --tailwind --eslint --app --src-dir --import-alias "@/*" npm install antd @ant-design/icons zustand
Document Node/npm requirements, pin package versions where possible, include or generate a lockfile, and run in an isolated project directory.
The skill may not run reliably after installation, or it could execute the wrong local file if that absolute path exists.
The runtime instruction uses a hard-coded absolute developer path instead of a package-relative path, which can fail on other systems or target a different local file than intended.
调用 `/Users/batype/.openclaw/workspace/skills/react-nextjs-generator/runner.ts` 生成项目
Use relative paths resolved from the installed skill directory and ensure the executed file is the reviewed bundled runner.