Back to skill

Security audit

Nextjs Expert

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Next.js coding skill with no executable install code or hidden data access.

Safe to install as a Next.js coding guidance skill. Be aware it may activate on generic terms like page.tsx or middleware, and review generated code carefully before production use, especially auth, database mutations, middleware, caching, and Server Actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains several broad, high-frequency terms such as "Next", "use client", "use server", and generic filenames like "page.tsx" and "middleware" that can match many unrelated prompts. This can cause the skill to activate outside true Next.js contexts, increasing the chance of incorrect guidance, prompt-routing abuse, or unintended influence over conversations that mention common web-development concepts.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.