ClawHub

Vercel React Best Practices

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only React/Next.js performance skill, but some examples should be reviewed before copying into security-sensitive code.

Install only if you want an agent to use these React/Next.js performance notes as advisory guidance. Review generated changes before merging, especially inline scripts, localStorage/auth state, cookie caching, useTransition async flows, and cross-request caches. Treat the Vercel branding as an artifact claim unless you have separately verified the publisher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The guidance explicitly recommends using an inline script via dangerouslySetInnerHTML to mutate the DOM before hydration. While the specific example uses a constant string rather than direct user input, this normalizes a hazardous pattern in a best-practices skill without discussing CSP, Trusted Types, or the requirement that injected content remain strictly static, which can lead downstream users to introduce XSS-prone variants.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The documentation incorrectly implies that wrapping an async fetch in startTransition gives a reliable built-in loading state for the full async operation. In practice, useTransition tracks scheduling of state updates rather than canceling or fully managing arbitrary async work, so developers may ship misleading loading indicators, race conditions, or stale result handling in production React/Next.js apps.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The benefits section overstates safety guarantees by claiming thrown transitions are handled correctly and new transitions cancel pending ones, while the underlying async fetch continues unless explicitly canceled. This can mislead users into assuming resilience and cancellation semantics that do not exist, increasing the chance of stale updates, wasted requests, and incorrect UI state in performance-sensitive applications.

Missing User Warnings

Low
Confidence
71% confidence
Finding
The document promotes pre-hydration access to localStorage and direct DOM mutation as a general solution for rendering state, including examples like authentication state, without warning about privacy, security boundaries, or the sensitivity of client-stored data. In a performance-guidance skill, that omission can mislead users into applying the pattern to unsafe contexts where client-side storage is not an appropriate trust source.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The example shows dangerouslySetInnerHTML-based script injection without any warning that this requires trusted static content and may conflict with CSP or Trusted Types deployments. Even though the shown payload is hardcoded, presenting it as the 'Correct' approach in a best-practices skill materially increases the chance that consumers copy the pattern into less safe contexts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance promotes cross-request caching of user records in process memory without warning that cached data may be shared across different users, tenants, auth contexts, or permission states if cache keys are too coarse. In a React/Next.js server environment, this pattern can lead to stale authorization decisions, accidental cross-user data exposure, or serving outdated sensitive profile data across sequential requests.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal