Back to skill
Skillv1.0.0
ClawScan security
Building Components · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 3:19 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only React best-practices guide with no installs, no required credentials, and no commands — it appears to do what it says.
- Guidance
- This skill is an offline best-practices document and poses minimal technical risk: it won't install software or request credentials. The only non-technical concern is that the source is listed as "unknown" while the metadata author is 'vercel' — if provenance matters to you, verify the author or use an official Vercel/React style guide instead. Otherwise it's safe to use as a reference for component design and reviews.
Review Dimensions
- Purpose & Capability
- okThe name/description (React component best practices) match the actual content: a prose guideline (SKILL.md) about component structure, props, composition, and state. Nothing requested or declared (no env vars, no binaries) is out of place.
- Instruction Scope
- okThe SKILL.md contains only guidance and example code snippets. It does not instruct the agent to run shell commands, access files, read environment variables, or transmit data to external endpoints.
- Install Mechanism
- okThere is no install spec and no code files. As an instruction-only skill, it writes nothing to disk and does not fetch external code.
- Credentials
- okThe skill declares no environment variables, credentials, or config paths — appropriate for a static best-practices guide.
- Persistence & Privilege
- okalways is false and the skill does not request persistent presence or modify agent/system settings. Default autonomous invocation is allowed but the skill's instructions do not perform privileged actions.