ClawHub

Vercel React Best Practices

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only React performance skill, but some examples promote risky handling of session cookies, inline scripts, and cross-request user-data caching without enough guardrails.

Install only if you are prepared to review generated changes carefully. Treat the performance advice as a starting point, not authoritative security guidance: do not log cookies or tokens, do not cache full user records across requests without scoped keys and invalidation, and avoid inline scripts unless your CSP and data handling are explicitly safe.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation teaches an incorrect React pattern by implying that `useTransition` will manage loading state for an async fetch when used with an `async` callback to `startTransition`. In practice, `isPending` does not reliably track the awaited network request the way the text claims, so developers may ship misleading loading indicators, race-prone UI, and broken assumptions about request lifecycle handling.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The listed benefits overstate guarantees that the example does not provide, especially around error resilience and automatic cancellation. Developers relying on these claims may omit explicit error handling, request cancellation, or stale-response protection, creating fragile application behavior and possible data consistency issues under concurrent user input.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guidance explicitly recommends an inline pre-hydration script using `dangerouslySetInnerHTML` to mutate the DOM based on client-side state, but it omits any discussion of CSP, script injection risk, and integrity constraints. While the example uses a constant script body and only reads from `localStorage`, this pattern normalizes inline script injection in a reusable skill and can lead downstream users to interpolate untrusted data or weaken CSP protections.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example explicitly captures a session cookie value and user-agent and sends them to a logging function. Even in documentation, this normalizes logging session identifiers, which are sensitive authentication-related artifacts that can enable session correlation, privacy violations, or account compromise if logs are exposed or reused insecurely. In a best-practices skill, this is more dangerous because consumers may copy the pattern directly into production code.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance encourages process-local cross-request caching of `getUser(id)` results without any warning about data sensitivity, authorization scoping, or stale/incorrect data reuse. In a React/Next.js skill, this is more dangerous because developers may copy the pattern directly into authenticated server code, leading to cached user objects being reused across requests in ways that can expose outdated or over-broad sensitive profile data if access controls or cache keys are incomplete.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal