NextSteps
v1.0.1Append context-aware next-step suggestions after agent responses. Generates actionable follow-ups, surfaces unfinished tasks from memory, and includes creati...
⭐ 0· 78·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The skill's behavior (reading context from the project, seeding preferences from project scans, and writing .nextsteps/PREFERENCES.md, BACKLOG.md, HISTORY.md) matches the stated purpose of producing context-aware next-step suggestions. There are no unrelated environment variables, binaries, or external endpoints requested. One minor inconsistency: references/SECURITY.md mentions a dependency and tile.json (cisco/software-security and ^1.2.0) even though this skill is instruction-only and provides no install/dependency manifest; this appears informational rather than functional.
Instruction Scope
SKILL.md instructs the agent to read project files (README, package.json, Cargo.toml, pyproject.toml, go.mod), inspect git history (last 10 commits if available), and read/update files under a local .nextsteps/ directory. It will create PREFERENCES.md, HISTORY.md, and BACKLOG.md when missing and will append logs and backlog entries during operation. This file I/O and project scanning are consistent with the feature but are broader than a purely stateless suggestion generator — expect the skill to collect project context and persist records locally. Also note the self-improvement/implicit learning rules that adjust preferences silently (with only logged HISTORY.md entries) — this silent mutation of user preferences may be surprising to some users.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or executed from external URLs.
Credentials
The skill requests no environment variables or external credentials. Its file access (project files, .nextsteps/*) is proportionate to its purpose. It does look for potentially sensitive project artifacts (e.g., .env, *.pem) only to recommend adding them to .gitignore; that behavior protects privacy but means the cold-start scan could encounter secrets present in the repo. No network endpoints are referenced for exfiltration.
Persistence & Privilege
The skill will create and maintain a local .nextsteps/ directory and update PREFERENCES.md, BACKLOG.md, and HISTORY.md over time. always is false and it does not request system-wide config changes, but implicit learning steps state some preference adjustments may happen silently (logged but not always confirmed). That persistence is consistent with the feature but is a behavioral privilege: the skill will accumulate local data about your activity and can change local preference files.
Scan Findings in Context
[no-findings] expected: The package is instruction-only and the regex scanner had no code files to analyze. The absence of findings is expected for an instruction-only skill; review the SKILL.md instructions for behavioral risks.
Assessment
This skill appears to do what it says: it scans your project for context and writes a .nextsteps/ folder with PREFERENCES.md, BACKLOG.md, and HISTORY.md to track suggestions and learning. Before installing or enabling it, consider: 1) Where will the agent run (project root vs home)? .nextsteps will be created in the working directory. 2) Review the created files after first run (they may contain project filenames, backlog items, or snippets that could be sensitive). 3) Add .nextsteps/ to your .gitignore (the skill already prioritizes suggesting this) so these local logs and preferences aren't committed. 4) Be aware the skill performs implicit learning that can silently change preferences (it logs changes in HISTORY.md but may not always prompt for confirmation). If you prefer explicit control over writes/automatic preference changes, do not enable it or ask the agent to restrict write operations and require confirmations before modifying PREFERENCES.md or BACKLOG.md.Like a lobster shell, security has layers — review code before you run it.
latestvk97f4kcfb73nce9r07411kfbmn83jq49
License
MIT-0
Free to use, modify, and redistribute. No attribution required.