ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Next Best Practices

v0.1.0

Next.js best practices - file conventions, RSC boundaries, data patterns, async APIs, metadata, error handling, route handlers, image/font optimization, bund...

2· 1.8k·26 current·29 all-time
byvi.dev@tuanvidev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the provided files: the repository is a collection of Next.js guidance (file conventions, RSC boundaries, routing, images/fonts, bundling, etc.). No unrelated environment variables, binaries, or install steps are requested. All files are documentation/examples consistent with a linter/guide style skill.
Instruction Scope
SKILL.md and the included files are human-oriented guidance and code samples for writing Next.js apps. Most instructions stay on-topic. One notable section (debug-tricks.md) documents using the local dev MCP endpoint (/_next/mcp) with curl and lists RPC tools that can reveal project paths, dev server URL, routes, errors, and log file locations. Those are legitimate developer debugging steps but — if an agent were given network access to localhost or filesystem access — they would allow it to query local dev servers and learn local paths and runtime data. The files also contain code samples that read local files (e.g., readFile for custom fonts) which are examples, not code the skill automatically runs.
Install Mechanism
No install specification and no code to write to disk — lowest-risk posture. This is instruction-only; the skill will not fetch or execute third‑party binaries during install.
Credentials
The skill declares no required environment variables, credentials, or config paths. However, the documentation includes examples that access local resources (dev server endpoints, local font files, .next logs). Those examples do not require you to provide secrets, but if the agent is allowed to make network requests to localhost or read files, it could obtain local project metadata and logs — so the requested surface remains proportionate to the stated purpose but operational permissions granted to the agent change the risk.
Persistence & Privilege
No 'always: true', no install-time writes, and nothing in the files attempts to modify other skills or global agent config. The skill is not requesting persistent privileges beyond normal agent invocation.
Assessment
This skill is a documentation-only Next.js best-practices bundle and is coherent with its description. It does not request credentials or install software. Two practical cautions: (1) the debug-tricks.md section shows how to call a local dev endpoint (/_next/mcp) which can return project paths, routes, logs and other development metadata — only allow the agent to make network requests to localhost if you trust it and its environment; (2) several examples show reading local files (fonts, assets) — those are sample snippets, but if you grant the agent filesystem access it could read files referenced by those examples. If you are concerned, keep the skill but restrict the agent's ability to access localhost/network or the host filesystem, or disable autonomous invocation for this skill. If you want, review any uses of the MCP endpoint and log/file paths in your environment before enabling agent network/file permissions.

Like a lobster shell, security has layers — review code before you run it.

latestvk978q16kah93dve0hq0aqy9pws81fhsg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments