Skills
skills/marcellocurto/skills/nextjs-setup/Gen Agent Trust Hub

nextjs-setup

Pass

Audited by Gen Agent Trust Hub on May 11, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes bunx create-next-app@latest to scaffold projects. This uses the official Next.js initialization tool provided by Vercel, a well-known service provider.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface where user-supplied input (the directory name) is interpolated into a shell command.
  • Ingestion points: User provides the target directory name and path in the interactive workflow described in SKILL.md.
  • Boundary markers: There are no explicit boundary markers or instructions to ignore embedded commands in the template.
  • Capability inventory: The skill has the ability to execute shell commands via bunx and perform file system operations.
  • Sanitization: No logic is defined to sanitize or validate the user-provided directory name before it is passed to the shell, which represents a potential command injection surface.
Audit Metadata
Risk Level
SAFE
Analyzed
May 11, 2026, 02:40 AM