ClawHub
Back to skill
v1.1.0

NextJS

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:31 AM.

Analysis

This is a documentation-only Next.js helper with no executable code or credential requirements; the main thing to notice is its local project-memory file and normal deployment command examples.

GuidanceThis skill appears safe to install as a Next.js reference. Be aware that it may save project preferences under ~/nextjs, so avoid storing secrets there, and review any deployment, package-install, Docker, or PM2 commands before allowing the agent to run them.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
deployment.md
# Production deploy
vercel --prod
...
pm2 start ecosystem.config.js
pm2 save
pm2 startup

The documentation includes deployment and process-manager commands that can publish an app or configure a persistent service if a user asks the agent to apply them.

User impactRunning these examples without review could deploy to the wrong target or leave an application process configured to restart automatically.
RecommendationTreat deployment and PM2 commands as manual, user-approved steps and confirm the project, account, environment variables, and production target before running them.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityLowConfidenceHighStatusNote
setup.md
After learning about their setup, save to `~/nextjs/memory.md` ... For project-specific patterns, use `~/nextjs/projects/{name}.md`.

This creates persistent local project memory that can influence future sessions, though it is clearly scoped to Next.js preferences and project conventions.

User impactProject details and preferences may be retained locally and reused later by the agent.
RecommendationKeep secrets out of these memory files and review or delete ~/nextjs/memory.md if saved preferences become outdated or unwanted.