ClawHub

Next Best Practices

Security checks across malware telemetry and agentic risk

Overview

This appears to be an instruction-only Next.js best-practices skill, with only minor caution needed around optional codemod commands and local MCP debugging examples.

This skill looks safe as documentation for Next.js development. Before installing or using it, be mindful that some examples are operational: only let an agent run codemods or query the local MCP debugging endpoint when you explicitly want that behavior, and review any file changes or debug output before sharing or committing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

If followed, this command may change many source files and relies on the current contents of the npm package at execution time.

Why it was flagged

The documentation recommends running the latest npm-published Next.js codemod against the project. This is purpose-aligned for migration, but it downloads and executes unpinned tooling and can modify project files.

Skill content
npx @next/codemod@latest next-async-request-api .
Recommendation

Run codemods only when intended, preferably from a clean version-control state; consider pinning versions where practical and review diffs before committing.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

An agent using this on the wrong dev server or sharing the results carelessly could reveal project structure or debugging details.

Why it was flagged

The skill documents using a local MCP endpoint that can expose route lists, project paths, errors, and log locations. This is useful for debugging, but it crosses an agent/protocol boundary and may reveal local project metadata.

Skill content
Next.js exposes a `/_next/mcp` endpoint in development for AI-assisted debugging via MCP ... `get_routes` Discover all routes by scanning filesystem ... `get_project_metadata` Get project path and dev server URL
Recommendation

Use MCP debugging only on the intended local development server, verify the port, and avoid sharing logs or project metadata publicly unless reviewed.