React Router V7

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only React Router guidance skill with one copy-paste production hardening caveat around error display.

Reasonable to install as React Router documentation. If you copy the error-boundary sample, do not show stack traces or raw internal errors to public users; show a generic message and keep detailed diagnostics in development-only output or protected logging.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The root error boundary example renders `error.stack` directly, which can expose internal file paths, code structure, environment details, and other sensitive debugging information to end users. In a best-practices reference, developers may copy this pattern into production unchanged, making the skill context more dangerous because it normalizes unsafe error disclosure as recommended usage.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The example renders `error.message` and especially `error.stack` directly into the UI, which can disclose sensitive internal details such as file paths, code structure, environment information, and implementation specifics to end users. In a routing best-practices skill, this is more dangerous because developers may copy the pattern verbatim into production applications, turning a debugging aid into an information disclosure issue.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal