ClawHub

nextjs-developer

PassAudited by ClawScan on May 6, 2026.

Overview

The supplied artifacts describe an instruction-only Next.js development assistant with expected coding and deployment guidance, and show no evidence of hidden code, credential misuse, or data exfiltration.

This appears safe as an instruction-only Next.js development skill. Before using it on important projects, make sure code edits, environment-variable changes, and deployments go through your normal review and approval process, and avoid sharing secrets in project context.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI02: Tool Misuse and Exploitation
What this means

If granted file-editing or deployment tools, the agent may change project code or deployment configuration as part of normal use.

Why it was flagged

The skill instructs the agent to make application changes and potentially deploy the application. This is expected for a Next.js developer skill, but deployment and code mutation can have real impact if the host agent has those tools.

Skill content
Implementation approach:
- Create app structure
- Implement routing
- Add server components
- Setup data fetching
- Optimize performance
- Write tests
- Handle errors
- Deploy application
Recommendation

Use normal code review and require explicit approval before production deployments, environment-variable changes, or other high-impact actions.

Note
ASI07: Insecure Inter-Agent Communication
What this means

Project details could be shared with other specialized agents if the hosting environment supports that workflow.

Why it was flagged

The skill contemplates collaboration with other agents. This is purpose-aligned, but the supplied artifact does not define what project context is shared or how agent boundaries are enforced.

Skill content
Integration with other agents:
- Collaborate with react-specialist on React patterns
- Support fullstack-developer on full-stack features
- Work with typescript-pro on type safety
Recommendation

Confirm which agents can receive context and avoid sharing secrets, production credentials, or private customer data unless necessary and approved.