React Project Standard

Security checks across malware telemetry and agentic risk

Overview

The inspected skill artifacts are development and maintainer helpers with disclosed repo-scoped commands; no hidden exfiltration, destructive automation, or deceptive behavior was found.

Install only if you want these ClawHub/Convex maintainer workflows available to your agent. Be aware that the autoreview helper defaults to a full-access nested Codex review mode; use its documented no-yolo option if you want normal sandbox prompts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest description uses broad activation terms such as 'Use when designing or reviewing' and then lists many repository-wide concerns, which can cause the skill to be selected in overly broad contexts. In an agent system, ambiguous trigger boundaries increase the chance of inappropriate invocation, leading to irrelevant guidance being applied where more specialized or security-focused handling is needed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal