Automated Response Rule
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a simple React UI instruction skill, with the main thing to notice being that it asks you to install an unpinned third-party npm package.
This skill appears benign and narrowly focused on adding a React UI component. Before using it, confirm that the orbcafe-ui npm package is the package you intend to trust, pin a version, and install it in a normal development workflow rather than blindly adding it to a sensitive production project.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package adds third-party code to the user's project, so future builds or application behavior may depend on that package.
The skill asks the user to install an external npm package without pinning a version. This is expected for a React UI component skill, but the package source and exact version are not constrained by the artifact.
npm install orbcafe-ui # or pnpm add orbcafe-ui
Verify the npm package and maintainer, pin a known-good version, and use a lockfile or dependency review before installing in an important project.