← 返回 Skills 市场
431
总下载
0
收藏
2
当前安装
1
版本数
在 OpenClaw 中安装
/install react-nextjs-generator
功能描述
Generates complete React Next.js projects from requirements and UI designs using Ant Design, Tailwind CSS, and Zustand for state management.
安全使用建议
This skill appears to do what it claims (generate Next.js projects), but exercise caution before running it:
- Review the included files (create-react-app.sh, generator.ts, runner.ts) yourself. The shell script runs `npx create-next-app` and `npm install`, which will download and execute third-party packages from the network.
- Do not run the scripts on a sensitive machine without inspection—use a disposable or sandboxed environment (container or VM).
- The controller docs reference a hardcoded local path (/Users/batype/...), which likely won't match your environment; expect to supply correct paths or adjust invocation.
- The generator constructs filesystem paths from parsed text in the requirements document without sanitization. Malicious or malformed requirements could cause files to be written outside the intended output directory (path traversal). Validate or sanitize any user-provided input and always set an explicit output directory you control.
- If you plan to use it, test first with minimal, well-formed requirements in an isolated workspace, and run `npm install` and `npm run dev` yourself after reviewing package.json.
What would change this assessment: evidence that input strings are sanitized/validated before use (prevents path traversal), removal of hardcoded local paths in docs, or signatures/source provenance showing the code comes from a trusted author. Without those, treat the skill as functional but potentially unsafe.
功能分析
Type: OpenClaw Skill
Name: react-nextjs-generator
Version: 1.0.0
The skill bundle is suspicious due to multiple critical input sanitization vulnerabilities that could lead to Remote Code Execution (RCE) and arbitrary file writes/code injection into generated projects. Specifically, `create-react-app.sh` is vulnerable to shell injection via unsanitized `PROJECT_NAME` and `OUTPUT_DIR` arguments. The `generator.ts` script is vulnerable to path traversal and code injection into generated files because it directly uses unsanitized user input from `requirementsDoc` for file paths and content. The `OpenClaw-Skill.md` and `controller.md` explicitly instruct the AI agent to use the `exec` tool to run these vulnerable scripts (`runner.ts` and `create-react-app.sh`), making the agent susceptible to prompt injection leading to RCE if it does not perform its own robust input sanitization before passing user-controlled data.
能力评估
Purpose & Capability
Name/description match the bundled code: generator.ts, runner.ts and create-react-app.sh implement project generation with Next.js/AntD/Tailwind/Zustand. However, the controller documentation references a hardcoded local path (/Users/batype/.openclaw/...) to runner.ts which is environment-specific and inappropriate for a distributable skill.
Instruction Scope
SKILL.md/controller.md instruct the agent to save the requirements to a temp file, call runner.ts and execute create-react-app.sh. That is expected for a generator, but the code executes npx/npm (network installs) and runs shell scripts. generator.ts creates files and directories directly from parsed text without sanitizing extracted route names — this can enable directory-traversal or arbitrary file writes if the requirements document contains malicious paths. The controller's absolute path and reliance on exec assumes local filesystem layout that may not exist.
Install Mechanism
There is no install spec (instruction-only skill), which is low risk for installation. However, the included create-react-app.sh will invoke npx create-next-app and npm install to fetch and run external packages at runtime — expected for this functionality but it means network downloads and execution of third-party code when the script runs.
Credentials
The skill declares no required environment variables or credentials, which is consistent with a local project generator. No secrets are requested.
Persistence & Privilege
always is false and the skill does not request elevated or permanent presence. It does instruct file creation in a user-specified output directory and references an absolute path in docs, but it does not modify other skills or system-wide agent settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install react-nextjs-generator - 安装完成后,直接呼叫该 Skill 的名称或使用
/react-nextjs-generator触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of the React Next.js 项目生成器技能.
- Generates full React + Next.js projects from requirement documents and UI design files
- Integrates Ant Design, Tailwind CSS, and Zustand for UI and state management
- Automatically analyzes uploaded documents and designs to create page components, project structure, and configuration
- Streamlines workflow from input analysis to generating code and applying styles
元数据
常见问题
React Nextjs Generator 是什么?
Generates complete React Next.js projects from requirements and UI designs using Ant Design, Tailwind CSS, and Zustand for state management. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 431 次。
如何安装 React Nextjs Generator?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install react-nextjs-generator」即可一键安装,无需额外配置。
React Nextjs Generator 是免费的吗?
是的,React Nextjs Generator 完全免费(开源免费),可自由下载、安装和使用。
React Nextjs Generator 支持哪些平台?
React Nextjs Generator 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 React Nextjs Generator?
由 batype(@batype)开发并维护,当前版本 v1.0.0。
推荐 Skills