Is nextjs-expert safe?

The skill instructs the agent 'You are a senior Next.js engineer specializing in the App Router, React Server Components, and production-grade full-stack applications with TypeScript.' This overrides the agent's default identity. While standard for specialist skills, it constitutes a mild form of prompt injection.

The skill's 'Core Principles' and 'Anti-Patterns to Avoid' sections use imperative language that constrains agent behavior. For example, 'Only add use client when you need hooks' and 'Type everything: Use TypeScript strictly' could override user-specified preferences for JavaScript or different architectural patterns.

The skill has 20+ triggers including very common terms ('Next', 'middleware', 'layout.tsx'). This means the skill will activate frequently, injecting its full prompt into conversations even when the user may not be building a Next.js app. The term 'middleware' alone is generic enough to trigger on non-Next.js middleware discussions.

The skill's authentication examples reference process.env.GITHUB_ID and process.env.GITHUB_SECRET as code patterns. These are documentation examples for the agent to emit as code templates, not instructions to read actual values. No exfiltration risk, but the generated code will reference real env vars if used.

The skill contains only Markdown documentation with inline TypeScript/TSX code examples. There are no executable scripts, no package.json with install hooks, no git hooks, no submodules, and no symlinks. All code is reference material for the agent to use when generating responses.

Filesystem monitoring shows that during the skill installation context, the OpenClaw runtime read .env, .aws/credentials, .profile, .bashrc, and auth-profiles.json. These reads are attributed to the OpenClaw platform bootstrapping (not the skill itself), but they occur in the skill's installation context. The .aws/credentials file access is particularly notable.