ClawHub

CopilotKit React Best Practices

PassAudited by ClawScan on May 1, 2026.

Overview

This is an instruction-only CopilotKit React best-practices guide; its agent tool and context-sharing examples are purpose-aligned, but generated app code should still be reviewed for safe scoping.

This skill appears safe to install as a documentation-only guide. When using its recommendations, carefully review generated CopilotKit tool handlers and shared context so agent actions are narrowly scoped and sensitive data is not exposed unnecessarily.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

If copied into an app without validation or confirmation, agent-triggered tools could change application state or call APIs in ways users did not intend.

Why it was flagged

This shows the skill guides developers to expose agent-callable frontend tools that can perform side effects; that is expected for CopilotKit, but generated handlers need normal app-level safety controls.

Skill content
Use `useFrontendTool` when the tool call should trigger side effects (API calls, state mutations, navigation).
Recommendation

Review generated tool handlers, limit each tool to a narrow action, enforce authorization and validation, and require user confirmation for high-impact mutations.

Low
#ASI06: Memory and Context Poisoning
What this means

Applications built from these patterns may send user, project, or task context to an agent, so overly broad context could disclose more information than needed or influence agent behavior.

Why it was flagged

This documents passing structured application context to an agent; it is purpose-aligned and the skill also encourages minimal context, but such data should be curated to avoid exposing secrets or unnecessary personal/business details.

Skill content
useCopilotReadable({
    description: "Current user information",
    value: { userName: user.name, role: user.role },
  })
Recommendation

Keep `useCopilotReadable` data minimal, redact secrets and unnecessary PII, separate trusted state from user-controlled text, and document what context is shared with the agent.