← Back to Skills

Next.Js Security Scan

🌐Community
by sugarforever · vlatest · Repository

Identifies potential vulnerabilities in Next.js projects by analyzing code and dependencies for common security risks.

Install on your platform

We auto-selected Claude Code based on this skill’s supported platforms.

1

Run in terminal (recommended)

terminal
claude mcp add next.js-security-scan npx -- -y @trustedskills/next.js-security-scan
2

Or manually add to ~/.claude/settings.json

~/.claude/settings.json
{
  "mcpServers": {
    "next.js-security-scan": {
      "command": "npx",
      "args": [
        "-y",
        "@trustedskills/next.js-security-scan"
      ]
    }
  }
}

Requires Claude Code (claude CLI). Run claude --version to verify your install.

About This Skill

What it does

This skill performs security scans on Next.js and TypeScript/JavaScript projects, following OWASP guidelines and industry best practices. It identifies potential vulnerabilities in code and dependencies, including hardcoded secrets, dangerous function usage, authentication flaws, and dependency vulnerabilities. The scan can be configured as a Quick Scan (focusing on critical issues), a Full Scan (comprehensive assessment), or a Targeted Scan (focused on specific vulnerability categories).

When to use it

  • Security audits of Next.js applications
  • Code review for security vulnerabilities
  • Pre-deployment security checks
  • Dependency vulnerability assessment
  • Detecting hardcoded secrets and credentials

Key capabilities

  • Quick Scan: Identifies critical vulnerabilities like hardcoded secrets, dangerous function usage (e.g., dangerouslySetInnerHTML), missing authentication in Server Actions, and known vulnerable dependencies.
  • Full Scan: Covers all OWASP Top 10:2025 categories, XSS/Injection vulnerabilities, authentication/authorization flaws, security misconfigurations, cryptographic failures, Next.js-specific vulnerabilities, dependency audit (CVE check), and environment variable exposure.
  • Targeted Scans: Allows focusing on specific vulnerability types like XSS, injection, authentication issues, secrets, dependencies, or Next.js-specific problems.
  • .env File Handling: Analyzes .env.example and .env.template files to check documentation quality but skips actual secret files by default for security reasons.

Example prompts

  • "Run a quick security scan on my Next.js project."
  • "Perform a full security assessment of the codebase, including dependency checks."
  • "Scan for XSS vulnerabilities in the project."

Tips & gotchas

  • The skill skips real .env files containing actual secrets by default. Use the --include-env-files flag with caution if explicitly needed.
  • It analyzes .env.example and .env.template files to assess documentation quality of environment variables, checking for descriptions and placeholder values.
  • The skill identifies project type (App Router, Pages Router, or plain React) automatically.
View Repository →

Tags

🛡️

TrustedSkills Verification

Unlike other registries that point to live repositories, TrustedSkills pins every skill to a verified commit hash. This protects you from malicious updates — what you install today is exactly what was reviewed and verified.

Security Audits

Gen Agent Trust HubPass
SocketPass
SnykPass

Details

Version
vlatest
License
Author
sugarforever
Installs
35
Repository (canonical source) →

🌐 Community

Passed automated security scans.