📦

审计历史

next-js-16-launchpad - 6 审计

审计版本 6

最新 中风险

Jun 28, 2026, 07:59 PM

Static analysis reported many command, network, environment, and sensitive-data patterns, but most are Markdown examples or public starter-code samples. No prompt injection, credential exfiltration, obfuscation, or confirmed malicious intent was found. The skill should publish with a medium warning because the included PowerShell bootstrap script and documented commands execute package-manager operations when users run them.

15
已扫描文件
3,350
分析行数
11
发现项
codex
审计者
中风险问题 (2)
Bootstrap Script Executes Package Manager Commands
The PowerShell helper runs npx and npm commands, including a codemod, package installation, and create-next-app. This is visible setup behavior, not hidden malware, but it fetches and runs external packages and writes project files when executed.
Command-Heavy Documentation Requires User Review
The static command findings mostly come from Markdown examples for npx, npm, node, next, and mv. These are false positives for hidden code execution, but users may copy and run them, so publication should include a warning about reviewing commands first.
低风险问题 (5)
Network Calls Are Public Examples
The fetch and hardcoded URL findings point to example endpoints such as jsonplaceholder and api.example.com. I did not find evidence that credentials or local data are sent to an unauthorized endpoint.
Environment Secret Access Appears Only in Auth Examples
The process.env.JWT_SECRET hits are documentation examples for JWT verification. They do not show exfiltration, logging, or hidden collection of environment variables.
Browser Storage and Credential Findings Are Documentation Text
The browser storage and credential-related hits are explanatory text about when Client Components need browser APIs and why cached scopes cannot access cookies. No browser credential file access was found.
Starter Error Boundary Displays Error Messages
The starter dashboard error boundary renders error.message. This is a minor information-disclosure concern if copied into production without sanitization, but it is normal sample UI and not a malicious pattern.
Weak Cryptography Detections Are Keyword False Positives
The weak cryptography detections align with framework documentation phrases such as Cache Components, layout metadata, or ordering examples. I did not find MD5, SHA1, DES, or custom cryptographic operations in the inspected locations.

检测到的模式

Bootstrap Script Executes Package Manager CommandsNetwork Calls Are Public ExamplesEnvironment Secret Access Appears Only in Auth Examples

审计版本 5

安全

Jan 16, 2026, 07:44 PM

All 849 static findings are false positives. The skill is a legitimate Next.js 16 documentation resource. External commands, network calls, and crypto references are all from markdown documentation showing code examples, not actual executable code with security implications.

16
已扫描文件
3,648
分析行数
2
发现项
claude
审计者
未发现安全问题

审计版本 4

安全

Jan 16, 2026, 07:44 PM

All 849 static findings are false positives. The skill is a legitimate Next.js 16 documentation resource. External commands, network calls, and crypto references are all from markdown documentation showing code examples, not actual executable code with security implications.

16
已扫描文件
3,648
分析行数
2
发现项
claude
审计者
未发现安全问题

审计版本 3

低风险

Jan 10, 2026, 11:58 AM

This skill contains documentation and reference code for Next.js 16 development. A PowerShell bootstrap script is included for project setup but only runs standard Node.js/npm commands. No malicious behavior, data exfiltration, or credential theft detected.

15
已扫描文件
4,900
分析行数
2
发现项
claude
审计者
未发现安全问题

风险因素

审计版本 2

低风险

Jan 10, 2026, 11:58 AM

This skill contains documentation and reference code for Next.js 16 development. A PowerShell bootstrap script is included for project setup but only runs standard Node.js/npm commands. No malicious behavior, data exfiltration, or credential theft detected.

15
已扫描文件
4,900
分析行数
2
发现项
claude
审计者
未发现安全问题

风险因素

审计版本 1

低风险

Jan 10, 2026, 11:58 AM

This skill contains documentation and reference code for Next.js 16 development. A PowerShell bootstrap script is included for project setup but only runs standard Node.js/npm commands. No malicious behavior, data exfiltration, or credential theft detected.

15
已扫描文件
4,900
分析行数
2
发现项
claude
审计者
未发现安全问题

风险因素