Will It Vibe logoWill It Vibe?
NEXT-002Medium severity-8 points

Non-public env var read in a Client Component

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A file marked "use client" reads a process.env variable that is not prefixed NEXT_PUBLIC_. At runtime that value is undefined in the browser, and if the bundler inlines it the private value ships to the client.

Why it matters

Code marked "use client" runs in the browser, where only NEXT_PUBLIC_ variables are defined. Reading any other process.env value returns undefined at runtime, so the feature silently breaks, and if a build step inlines the value it leaks a server secret to the client. Either outcome is a real production bug.

How to fix it

Move the logic that needs the private variable into a Server Component, Route Handler, or server action and pass only the resulting non-secret data to the client. If the value is safe to publish, rename it with the NEXT_PUBLIC_ prefix so Next.js exposes it deliberately.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks