orbcafe-stdreport-workflow

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This is a coherent ORBCAFE UI development guide; review the npm setup commands and any generated CRUD/persistence behavior before using it in a real project.

This skill appears safe to use as a development aid for ORBCAFE report pages. Before installing or invoking it, make sure you are in the intended project, review the npm dependency changes, approve any npm build/dev commands, and verify that quick create/edit/delete callbacks and persisted report settings match your application's authorization and data-retention expectations.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

Installing the skill's recommended dependencies may add or update third-party code in the user's application.

Why it was flagged

The setup instructions add unpinned npm dependencies. This is expected for an ORBCAFE UI workflow, but it relies on npm package provenance and can change the project dependency tree.

Skill content

npm install orbcafe-ui @mui/material @mui/icons-material @mui/x-date-pickers @emotion/react @emotion/styled dayjs

Recommendation

Run the install only in the intended development repository, prefer pinned versions or a lockfile, and use a trusted npm registry.

#ASI05: Unexpected Code Execution

Low

What this means

These commands can modify node_modules, run project scripts, and start a local development server.

Why it was flagged

The workflow includes user-facing local build/dev commands. They are normal for frontend integration, but npm scripts execute code from the project and dependencies.

Skill content

# repo root
npm run build

cd examples
npm install
npm run dev

Recommendation

Confirm before running these commands, especially in an untrusted repository, and review package scripts or dependency changes if needed.

#ASI02: Tool Misuse and Exploitation

Low

What this means

A generated report page may allow users to create, edit, or delete business data.

Why it was flagged

The recipe scaffolds create/edit/delete callbacks for report pages. This is disclosed and purpose-aligned, and delete is represented as a confirmation callback, but it can affect real records once connected to a backend.

Skill content

quickDelete={{
    enabled: true,
    onConfirm: async (selectedRows) => deleteOrders(selectedRows.map((r) => r.id)),
  }}

Recommendation

Keep authorization, validation, confirmation, and audit/undo behavior in the application backend when enabling quick operations.

#ASI06: Memory and Context Poisoning

Info

What this means

Saved report layout or variant settings may persist in the browser and influence later use of the same page.

Why it was flagged

The skill expects layout/variant persistence and local-storage fallback. This is appropriate for report UI state, but persistent state can affect future sessions if IDs collide or sensitive settings are stored.

Skill content

serviceUrl unavailable should fallback to local storage paths

Recommendation

Use unique id/appId/tableKey values, document how users can clear saved state, and avoid persisting secrets or sensitive filter values.