hoangnguyen0403/nextjs-server-actions
skills/nextjs/nextjs-server-actions/SKILL.md
Implement mutations, forms, and RPC-style calls with Next.js Server Actions. Use when implementing Server Actions, form mutations, or RPC-style data mutations in Next.js.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard nextjs-server-actionsInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 3:05 AM162.2s3 files scanned
SKILL.md
- name:
- nextjs-server-actions
- description:
- Implement mutations, forms, and RPC-style calls with Next.js Server Actions. Use when implementing Server Actions, form mutations, or RPC-style data mutations in Next.js.
Server Actions
Priority: P1 (HIGH)
[!WARNING] If project uses
pages/directory instead of App Router, ignore this skill entirely.
Handle form submissions and mutations without creating API endpoints.
Implementation Guidelines
-
Directive: Always start file or function with
'use server'. AccessformData.get('title')for typed form fields. Export async functions for mutations. -
Form Handling: Use
actionprop of<form>to trigger actions viaaction={createPost}. UseuseFormStatus()forpendingstates —disabled={pending}on buttons. UseuseActionState(React 19/Next.js 15) foraction={action}form state with<form action={action}>. -
Data Refresh: Trigger UI updates using
revalidatePath('/')orrevalidateTag('tag-name')after successful mutation. -
Interactivity: For non-form triggers, invoke actions using
useTransitionhook to handle loading UI and prevent page from blocking. -
Optimistic Updates: Use
useOptimisticto show expected UI state immediately before server confirms mutation. -
Security: Sanitize all inputs from
FormData. Perform auth checks inside every action (await auth()). Limit file uploads by size and MIME type. -
Form:
<form action={createPost}>(Progressive enhancements work without JS). -
Event Handler:
onClick={() => createPost(data)}. -
Pending State: Use
useFormStatushook (must inside component rendered within form).
P1: Operational Standard
1. Secure & Validate
Always validate inputs with z.object({ schema and safeParse before processing. Check authorization within action. See Secure Action Example.
2. Pending States
Use useActionState (React 19/Next.js 15+) for state handling and useFormStatus for button loading states.
Constraints
- Closures: Avoid defining actions inside components to prevent hidden closure encryption overhead and serialization bugs.
- Redirection: Use
redirect()for success navigation; it throws error that Next.js catches to handle redirect.
Anti-Patterns
- No unvalidated Server Action inputs: Always validate with Zod before processing.
- No skipped auth checks: Verify session/user inside every action, not middleware.
- No actions defined inside components: Define in
actions.tsto avoid closure bugs. - No
redirect()in try/catch:redirect()throws; catching it suppresses redirect.
Related Skills
hoangnguyen0403/specialist-pr-reviewer
development
VerifiedTrustedCommunity
Summarizes GitHub PR, GitLab MR, or Azure DevOps PR metadata, review threads, changed files, and template completeness. Use during review-ticket or code-review workflows when PR/MR context exists.
498SKILL.mdUpdated May 23, 2026
hoangnguyen0403/typescript-tooling
tools
VerifiedTrustedCommunity
Development tools, linting, and build config for TypeScript. Use when configuring ESLint, Prettier, Jest, Vitest, tsconfig, or any TS build tooling.
498SKILL.mdUpdated May 21, 2026
hoangnguyen0403/typescript-security
development
VerifiedTrustedCommunity
Validate input, secure auth tokens, and prevent injection attacks in TypeScript. Use when validating input, handling auth tokens, sanitizing data, or managing secrets and sensitive configuration.
498SKILL.mdUpdated May 21, 2026
hoangnguyen0403/typescript-language
development
VerifiedTrustedCommunity
Apply modern TypeScript standards for type safety and maintainability. Use when working with types, interfaces, generics, enums, unions, or tsconfig settings.
498SKILL.mdUpdated May 21, 2026