Skill

Next.js Security Scan

Scans Next.js and TypeScript/JavaScript projects for OWASP Top 10 vulnerabilities, XSS, injections, auth issues, hardcoded secrets, Next.js-specific problems, and dependency CVEs. Generates actionable security reports for audits and pre-deployment.

Next.js

Typescript

Javascript

security

Install

npx claudepluginhub sugarforever/01coder-agent-skills --plugin 01coder-skills

Tool Access

This skill uses the workspace's default tool permissions.

Preview

This skill enables comprehensive security scanning of Next.js and TypeScript/JavaScript projects based on OWASP guidelines and industry best practices.

Supporting Assets

assets/report-template.mdreferences/auth-vulnerabilities.mdreferences/injection-patterns.mdreferences/nextjs-specific.mdreferences/owasp-top-10.mdreferences/xss-patterns.mdscripts/dependency-audit.shscripts/pattern-scanner.pyscripts/secret-scanner.py

SKILL.md

Similar Skills

using-git-worktrees

Creates isolated Git worktrees for feature branches with prioritized directory selection, gitignore safety checks, auto project setup for Node/Python/Rust/Go, and baseline verification.

superpowers

168.3k

subagent-driven-development

3 files

Executes implementation plans in current session by dispatching fresh subagents per independent task, with two-stage reviews: spec compliance then code quality.

superpowers

168.3k

dispatching-parallel-agents

Dispatches parallel agents to independently tackle 2+ tasks like separate test failures or subsystems without shared state or dependencies.

superpowers

168.3k

Stats

Stars90

Forks27

Last CommitJan 12, 2026

Actions

View Source View Plugin View on GitHub View README

Next.js Security Scan Skill

This skill enables comprehensive security scanning of Next.js and TypeScript/JavaScript projects based on OWASP guidelines and industry best practices.

When to Use This Skill

Security audits of Next.js applications
Code review for security vulnerabilities
Pre-deployment security checks
Dependency vulnerability assessment
Detecting hardcoded secrets and credentials

Scan Types

1. Quick Scan

Fast scan focusing on critical vulnerabilities:

Hardcoded secrets and API keys
Dangerous function usage (dangerouslySetInnerHTML, eval)
Missing authentication in Server Actions
Known vulnerable dependencies

2. Full Scan

Comprehensive security assessment covering:

All OWASP Top 10:2025 categories
XSS vulnerability patterns
Injection vulnerabilities (SQL, NoSQL, Command)
Authentication and authorization flaws
Security misconfigurations
Cryptographic failures
Next.js-specific vulnerabilities
Dependency audit (CVE check)
Environment variable exposure

3. Targeted Scan

Focus on specific vulnerability categories:

--xss - Cross-site scripting patterns
--injection - SQL/NoSQL/Command injection
--auth - Authentication/authorization issues
--secrets - Hardcoded credentials
--deps - Dependency vulnerabilities
--nextjs - Next.js specific issues

Scan Procedure

Step 1: Project Discovery

Identify project type (Next.js App Router, Pages Router, or plain React)
Locate configuration files (next.config.js, package.json, .env*)
Map the codebase structure

Step 2: Dependency Audit

Run the dependency audit script:

./scripts/dependency-audit.sh

Or manually:

npm audit --json
# or
yarn audit --json

Step 3: Secret Scanning

Scan for hardcoded secrets:

python scripts/secret-scanner.py /path/to/project

Important: Environment File Handling

By default, real .env files are SKIPPED (.env, .env.local, .env.production, etc.)
These files contain actual secrets and should not be in version control
Only .env.example and .env.template files are analyzed for documentation quality
Use --include-env-files flag only if explicitly requested by user

The scanner will:

Scan source code for hardcoded secrets
Analyze .env.example templates to check:
- Which sensitive variables are documented
- Whether variables have descriptions (comments)
- If placeholder values look like real secrets
- Suggestions for missing common variables

Step 4: Pattern Analysis

For each file in the codebase, check against patterns in:

references/xss-patterns.md - XSS vulnerabilities
references/injection-patterns.md - Injection flaws
references/auth-vulnerabilities.md - Auth issues
references/nextjs-specific.md - Next.js vulnerabilities

Step 5: Report Generation

Generate a security report using:

assets/report-template.md - Report structure

Severity Classification

Severity	Description	Action Required
CRITICAL	Exploitable vulnerability with severe impact	Immediate fix required
HIGH	Significant security risk	Fix before deployment
MEDIUM	Potential security issue	Fix in next release
LOW	Minor security concern	Consider fixing
INFO	Security best practice suggestion	Optional improvement

Key Files to Scan

Always Check

**/*.ts, **/*.tsx, **/*.js, **/*.jsx - Source code
next.config.js, next.config.mjs - Next.js configuration
package.json, package-lock.json - Dependencies
middleware.ts, middleware.js - Middleware security

Environment Files

.env.example, .env.template - SCAN for template analysis
.env, .env.local, .env.production - SKIP by default (contain real secrets)

Note: Real .env files should never be committed to version control. The scanner analyzes .env.example templates to ensure proper documentation of required variables.

High Priority Locations

app/api/**/* - API routes (App Router)
pages/api/**/* - API routes (Pages Router)
**/actions.ts, **/*-actions.ts - Server Actions
lib/auth*, utils/auth* - Authentication code
**/middleware.* - Middleware files

Output Format

Findings should be reported as:

[SEVERITY] Category: Description
  File: path/to/file.ts:lineNumber
  Code: <relevant code snippet>
  Risk: <explanation of the security risk>
  Fix: <recommended remediation>

Integration with CI/CD

This skill can generate output compatible with:

GitHub Security Advisories
SARIF format for GitHub Code Scanning
JSON for custom integrations

References

Load additional context as needed:

references/owasp-top-10.md - OWASP Top 10:2025 quick reference
references/xss-patterns.md - XSS detection patterns
references/injection-patterns.md - Injection vulnerability patterns
references/auth-vulnerabilities.md - Authentication security patterns
references/nextjs-specific.md - Next.js specific vulnerabilities and CVEs