Check skill
Next.js Security Audit
draft, under review4 phases2 bundled files
The security pass before you ship: auth and ownership, injection, XSS, SSRF, secret leaks, and missing headers. It flags what a grep can catch and hands you a review checklist for the rest, because a scanner cannot certify that your authorization is correct.
/plugin marketplace add Selwynuy/selwynuy /plugin install selwyn-handbook@selwyn-handbook # then run: /selwyn-handbook:nextjs-security-audit
Or read it as SKILL.md.
When it activates
Use this skill when shipping a Server Action, Route Handler, form, data flow, or next.config change in a Next.js app.
The workflow
Scan
Run the scanner over the changed files to flag the mechanically-detectable risks (leaked secrets, interpolated SQL, dangerouslySetInnerHTML, fetch to a user URL, spread request bodies, missing security headers, dangerous image config) for review.
Access control
For every Server Action and Route Handler, confirm it re-checks authentication itself (a page check does not cover it), checks resource ownership to stop IDOR, validates client input, and rate limits anything expensive or abusable.
Injection and output
Confirm queries are parameterized (never string-built), user HTML is sanitized before dangerouslySetInnerHTML, redirects and outbound fetches are allowlisted (open redirect, SSRF), and no request body is spread into a database write.
Exposure and config
Confirm secrets stay server-only (no NEXT_PUBLIC_, process.env only in the data layer), only minimal DTOs cross to the client, errors do not leak stack traces, security headers are set, and next.config has no dangerous image options.
What ships in the bundle
- scriptscripts/scan-security.mjsGreps the changed files for the high-confidence risk patterns across every vuln family and flags each for human review. It surfaces risks; it does not certify that the code is safe.
- referencereferences/security-audit-checklist.mdThe full web-app audit: what Next.js protects by default versus what you own, every vuln class with its detection signal and fix, sourced to the framework's bundled docs and the handbook.
1 run, the rest load on demand.