Back to skill
Skillv0.1.0
ClawScan security
Next Upgrade · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 19, 2026, 4:43 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, file accesses, and runtime actions align with its stated purpose of upgrading a Next.js project; it has no unexplained credential requests or install steps, though it does rely on runtime npx codemods (normal but worth caution).
- Guidance
- This skill is coherent for upgrading Next.js. Before running it: (1) run it in a clean git branch and fully commit or stash changes so you can review/undo edits; (2) review or pin the specific codemod transforms and versions instead of blindly running @latest; (3) inspect codemod output and run your test/build steps locally or in CI; (4) backup or ensure CI/tests are green before merging; (5) if you want stricter control, run the listed WebFetch URLs and codemods manually rather than letting an automated agent execute npx. If the SKILL.md later adds unknown network endpoints or requests credentials, stop and reassess.
Review Dimensions
- Purpose & Capability
- okName/description match the actions in SKILL.md: reading package.json, consulting official Next.js upgrade docs, running codemods, updating dependencies, and testing are all expected for a Next.js upgrade helper.
- Instruction Scope
- noteInstructions stay within the upgrade task (reading package.json, next.config.js, applying codemods, updating deps, running build/dev). Notable: it instructs fetching docs from nextjs.org (expected) and running npx to execute codemods, which will read and modify project files — expected for the task but grants filesystem write capability to the codemod code.
- Install Mechanism
- noteThere is no static install spec (instruction-only). However, the runtime instructions call npx @next/codemod@latest which downloads and executes code from the npm registry at runtime. This is a common pattern for codemods but carries the usual risk of executing third-party package code; pinning transforms/versions or reviewing the codemod before running reduces risk.
- Credentials
- okThe skill declares no required env vars, credentials, or config paths. The files it reads/writes (package.json, next.config.js, project files) are proportional to its purpose and are explicitly mentioned in the instructions.
- Persistence & Privilege
- okThe skill is not always-on and requests no elevated platform privileges. It does instruct commands that modify the project (npx codemods, npm install), which is appropriate for an upgrade tool but means it will change local repository state when invoked.