Back to skill

Security audit

Micro-Frontend Architecture

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only micro-frontend guide, with a couple of auth-token examples users should harden before using in production.

Safe to install as an architecture reference. Before applying its snippets, replace localStorage token examples with secure HttpOnly SameSite cookies, backend-managed sessions, or tightly scoped in-memory tokens; avoid passing raw tokens to sub-apps; and protect remote-loading and deployment-manifest workflows with trusted origins, CI approvals, least-privilege credentials, and rollback controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance explicitly demonstrates storing an auth token in localStorage, which makes the token persist in browser storage and exposes it to any JavaScript running in the origin, including code injected through XSS or a compromised sub-application. In a micro-frontend architecture, multiple independently deployed apps share the same browser context, which increases the attack surface and makes this recommendation more dangerous than in a simpler single-app setup.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example passes an auth token sourced from localStorage into micro-frontend customProps, which encourages use of a token storage mechanism vulnerable to XSS-driven theft and broad propagation of sensitive credentials across sub-app boundaries. In a micro-frontend architecture, this is more dangerous because multiple independently deployed apps may receive or mishandle the token, expanding the trust boundary and increasing exposure.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.