← Back to Skills Marketplace
431
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install react-nextjs-generator
Description
Generates complete React Next.js projects from requirements and UI designs using Ant Design, Tailwind CSS, and Zustand for state management.
Usage Guidance
This skill appears to do what it claims (generate Next.js projects), but exercise caution before running it:
- Review the included files (create-react-app.sh, generator.ts, runner.ts) yourself. The shell script runs `npx create-next-app` and `npm install`, which will download and execute third-party packages from the network.
- Do not run the scripts on a sensitive machine without inspection—use a disposable or sandboxed environment (container or VM).
- The controller docs reference a hardcoded local path (/Users/batype/...), which likely won't match your environment; expect to supply correct paths or adjust invocation.
- The generator constructs filesystem paths from parsed text in the requirements document without sanitization. Malicious or malformed requirements could cause files to be written outside the intended output directory (path traversal). Validate or sanitize any user-provided input and always set an explicit output directory you control.
- If you plan to use it, test first with minimal, well-formed requirements in an isolated workspace, and run `npm install` and `npm run dev` yourself after reviewing package.json.
What would change this assessment: evidence that input strings are sanitized/validated before use (prevents path traversal), removal of hardcoded local paths in docs, or signatures/source provenance showing the code comes from a trusted author. Without those, treat the skill as functional but potentially unsafe.
Capability Analysis
Type: OpenClaw Skill
Name: react-nextjs-generator
Version: 1.0.0
The skill bundle is suspicious due to multiple critical input sanitization vulnerabilities that could lead to Remote Code Execution (RCE) and arbitrary file writes/code injection into generated projects. Specifically, `create-react-app.sh` is vulnerable to shell injection via unsanitized `PROJECT_NAME` and `OUTPUT_DIR` arguments. The `generator.ts` script is vulnerable to path traversal and code injection into generated files because it directly uses unsanitized user input from `requirementsDoc` for file paths and content. The `OpenClaw-Skill.md` and `controller.md` explicitly instruct the AI agent to use the `exec` tool to run these vulnerable scripts (`runner.ts` and `create-react-app.sh`), making the agent susceptible to prompt injection leading to RCE if it does not perform its own robust input sanitization before passing user-controlled data.
Capability Assessment
Purpose & Capability
Name/description match the bundled code: generator.ts, runner.ts and create-react-app.sh implement project generation with Next.js/AntD/Tailwind/Zustand. However, the controller documentation references a hardcoded local path (/Users/batype/.openclaw/...) to runner.ts which is environment-specific and inappropriate for a distributable skill.
Instruction Scope
SKILL.md/controller.md instruct the agent to save the requirements to a temp file, call runner.ts and execute create-react-app.sh. That is expected for a generator, but the code executes npx/npm (network installs) and runs shell scripts. generator.ts creates files and directories directly from parsed text without sanitizing extracted route names — this can enable directory-traversal or arbitrary file writes if the requirements document contains malicious paths. The controller's absolute path and reliance on exec assumes local filesystem layout that may not exist.
Install Mechanism
There is no install spec (instruction-only skill), which is low risk for installation. However, the included create-react-app.sh will invoke npx create-next-app and npm install to fetch and run external packages at runtime — expected for this functionality but it means network downloads and execution of third-party code when the script runs.
Credentials
The skill declares no required environment variables or credentials, which is consistent with a local project generator. No secrets are requested.
Persistence & Privilege
always is false and the skill does not request elevated or permanent presence. It does instruct file creation in a user-specified output directory and references an absolute path in docs, but it does not modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install react-nextjs-generator - After installation, invoke the skill by name or use
/react-nextjs-generator - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the React Next.js 项目生成器技能.
- Generates full React + Next.js projects from requirement documents and UI design files
- Integrates Ant Design, Tailwind CSS, and Zustand for UI and state management
- Automatically analyzes uploaded documents and designs to create page components, project structure, and configuration
- Streamlines workflow from input analysis to generating code and applying styles
Metadata
Frequently Asked Questions
What is React Nextjs Generator?
Generates complete React Next.js projects from requirements and UI designs using Ant Design, Tailwind CSS, and Zustand for state management. It is an AI Agent Skill for Claude Code / OpenClaw, with 431 downloads so far.
How do I install React Nextjs Generator?
Run "/install react-nextjs-generator" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is React Nextjs Generator free?
Yes, React Nextjs Generator is completely free (open-source). You can download, install and use it at no cost.
Which platforms does React Nextjs Generator support?
React Nextjs Generator is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created React Nextjs Generator?
It is built and maintained by batype (@batype); the current version is v1.0.0.
More Skills