ClawHub

React Best Practices 2 0.1.0

Security checks across malware telemetry and agentic risk

Overview

This is mostly a React/Next.js performance guidance skill, but it includes security-sensitive examples that agents could copy into application code without enough safeguards.

Install only if you are comfortable treating it as advisory documentation rather than blindly applying every example. Review generated changes that touch cookies, sessions, localStorage, inline scripts, dangerouslySetInnerHTML, or background logging; replace raw session cookies with non-sensitive identifiers and add CSP/nonce and untrusted-data safeguards for any inline script pattern.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The guidance explicitly recommends using an inline script with dangerouslySetInnerHTML to read from localStorage and mutate the DOM before hydration. While the example uses a fixed script body rather than interpolating attacker-controlled data, it normalizes a high-risk primitive that bypasses React's usual safety guarantees and can encourage unsafe copy-paste adaptations in application code.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The rule recommends a synchronous inline script that reads client storage and directly changes the DOM, but it does not mention the integrity and XSS tradeoffs of this pattern. In a best-practices skill, that omission is risky because users may adopt the technique broadly without understanding that localStorage-driven DOM changes and inline scripts expand the attack surface and may conflict with secure CSP deployments.

Ssd 3

Medium
Confidence
95% confidence
Finding
The example explicitly captures a session cookie value and user-agent string for background logging. Logging session identifiers can leak authentication material into logs, monitoring systems, or third-party processors, increasing the risk of session hijacking and unnecessary retention of sensitive data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal