ClawHub

Nextjs

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Next.js guidance skill, with a couple of examples users should avoid copying with real secrets.

Reasonable to install as a Next.js reference. Review commands before running them, prefer the ClawHub install path over unpinned remote npx/GitHub installs, and do not copy examples that return cookies, session IDs, auth tokens, secrets, internal URLs, or private feature flags to clients.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example reads a cookie token and returns it in a JSON response, which demonstrates a pattern that can expose session or authentication secrets to client-side code or downstream consumers. In documentation for Next.js route handlers, readers may copy this example directly, so showing a secret-bearing cookie reflected in the response without a warning normalizes an unsafe practice.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example exposes a public API endpoint that returns values derived from server-side environment variables. Although the snippet says not to use NEXT_PUBLIC_* for dynamic config, it does not warn that API_URL and FEATURES may still reveal internal endpoints, feature flags, or deployment details to any client that can call the route, which can aid reconnaissance or unintentionally leak sensitive configuration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal