ClawHub

Remix V2 Perf Ssr Review

Security checks across malware telemetry and agentic risk

Overview

This is a read-only Remix code-review guidance skill, and the scanner alerts are examples inside security guidance rather than unsafe runtime behavior.

Reasonable to install for Remix v2 SSR/performance reviews. Treat its findings as code-review advice and verify reported file/line evidence before changing production code, especially for caching and hydration recommendations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
This markdown guidance presents `"en-US"` as the exemplar fix for locale-sensitive formatting, which can encourage a forced language/locale outcome rather than preserving user preference. The file does not pair this recommendation with opt-in language selection or a clear statement that the locale should come from user settings except as a secondary 'better' option later.

Unvalidated Output Injection

High
Category
Output Handling
Content
**Bad (untrusted):**
```tsx
<div dangerouslySetInnerHTML={{ __html: post.body }} /> // user-authored content
```

**Bad (trusted but unsafe encoding):**
Confidence
65% confidence
Finding
dangerouslySetInnerHTML={

Unvalidated Output Injection

High
Category
Output Handling
Content
**Bad (trusted but unsafe encoding):**
```tsx
<script
  dangerouslySetInnerHTML={{
    __html: `window.ENV = ${JSON.stringify(data.ENV)}`, // </script> in data breaks out
  }}
/>
Confidence
65% confidence
Finding
dangerouslySetInnerHTML={

Unvalidated Output Injection

High
Category
Output Handling
Content
```tsx
import sanitize from "isomorphic-dompurify";

<div dangerouslySetInnerHTML={{ __html: sanitize(post.body) }} />
```

**Good (serialize JS safely):**
Confidence
65% confidence
Finding
dangerouslySetInnerHTML={

Unvalidated Output Injection

High
Category
Output Handling
Content
import serialize from "serialize-javascript";

<script
  dangerouslySetInnerHTML={{
    __html: `window.ENV = ${serialize(data.ENV, { isJSON: true })}`,
  }}
/>
Confidence
65% confidence
Finding
dangerouslySetInnerHTML={

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal