A focused Next.js security auditor that catches the stuff that's easy to miss in App Router projects. It hunts for the classic NEXT_PUBLIC_ footgun where secrets end up in client bundles, checks Server Actions for missing auth and input validation, and verifies middleware matchers actually cover your protected routes. The pattern library is solid on the specifics: IDOR vulnerabilities in dynamic routes, the next.config.js env trap, inconsistent auth between API route methods. Use it when reviewing Next.js codebases or before deployment to catch high severity auth gaps. The grep commands alone make it worth having loaded if you work in Next.js regularly.
npx skills add https://github.com/igorwarzocha/opencode-workflows --skill security-nextjs