This skill should be used when the user asks about "Next.js security", "React security", "Server Components", "Server Actions", "Route Handlers", "RSC vulnerabilities", "SSR security", or needs comprehensive Next.js/React security analysis during whitebox pentesting.
From vuln-scoutnpx claudepluginhub allsmog/vuln-scout --plugin vuln-scoutThis skill uses the workspace's default tool permissions.
route-handlers.mdserver-actions.mdDesigns and optimizes AI agent action spaces, tool definitions, observation formats, error recovery, and context for higher task completion rates.
Enables AI agents to execute x402 payments with per-task budgets, spending controls, and non-custodial wallets via MCP tools. Use when agents pay for APIs, services, or other agents.
Compares coding agents like Claude Code and Aider on custom YAML-defined codebase tasks using git worktrees, measuring pass rate, cost, time, and consistency.
Comprehensive security patterns for Next.js and React applications, covering both client-side and server-side attack surfaces.
┌─────────────────────────────────────────────────────────────┐
│ Next.js Application │
├─────────────────────────────────────────────────────────────┤
│ │
│ Client-Side (Browser) Server-Side (Node.js) │
│ ┌──────────────────┐ ┌──────────────────────┐ │
│ │ React Components │ │ Server Components │ │
│ │ Client Actions │◄────────►│ Server Actions │ │
│ │ useEffect/State │ │ Route Handlers │ │
│ └──────────────────┘ │ Middleware │ │
│ │ getServerSideProps │ │
│ └──────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────┘
"use server")app/api/**/route.ts)__NEXT_DATA__# Find all Server Actions
grep -rn '"use server"' --include="*.ts" --include="*.tsx"
# Find all Route Handlers
find . -path "*/app/api/*" \( -name "route.ts" -o -name "route.js" \)
# Find middleware
find . -name "middleware.ts" -o -name "middleware.js"
# Find page components
find ./app -name "page.tsx" -o -name "page.js"
# Server Actions called from forms
grep -rn "action=" --include="*.tsx" | grep -v node_modules
# Server Actions called programmatically
grep -rn "startTransition\|useTransition" --include="*.tsx"
# Route Handler methods
grep -rn "export.*function\s\+\(GET\|POST\|PUT\|DELETE\|PATCH\)" --include="route.ts"
# Find auth patterns
grep -rn "getServerSession\|getSession\|auth\(\)" --include="*.ts" --include="*.tsx"
# Find unprotected handlers (no auth import)
for f in $(find . -path "*/app/api/*" -name "route.ts"); do
if ! grep -q "getServerSession\|auth\|verify" "$f"; then
echo "Potentially unprotected: $f"
fi
done
# Find request data access
grep -rn "request\.json\|request\.formData\|request\.text" --include="*.ts"
# Find database operations
grep -rn "prisma\.\|db\.\|sql\`\|query\(" --include="*.ts"
# Find external API calls
grep -rn "fetch\(\|axios\.\|got\(" --include="*.ts"
See framework-patterns/nextjs-patterns.md for detailed pattern.
// VULNERABLE: No auth check
export async function DELETE(req: Request) {
const { id } = await req.json();
await db.user.delete({ where: { id } }); // Anyone can delete!
return Response.json({ success: true });
}
// VULNERABLE: Sensitive data exposed
async function UserProfile({ userId }: { userId: string }) {
const user = await db.user.findUnique({ where: { id: userId } });
// Full user object including password hash goes to client!
return <ClientProfile user={user} />;
}
// VULNERABLE: Case-sensitive matching
export const config = {
matcher: '/admin/:path*' // /Admin/secret bypasses!
}
Next.js vulnerabilities often enable chains:
| Next.js Vulnerability | Chains To |
|---|---|
| Server Action SSRF | Internal Flask/Django SSTI |
| Server Action SSRF | Cloud metadata (169.254.169.254) |
| Route Handler SQLi | Data exfiltration, auth bypass |
| Middleware Bypass | Admin panel access |
| Data Leak | Credential theft, session hijacking |