ClawHub

React Best Practices

v1.0.0

Audits React code for performance, bundle size, and best practices. Use when reviewing React code, auditing bundle size, finding performance issues, checking...

0· 74·0 current·0 all-time
byTony Simons@asimons81
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name, description, and declared dependencies (Node.js, React project) align: auditing React code for performance and bundle size reasonably requires reading project files and running Node-based analysis.
Instruction Scope
SKILL.md correctly focuses on auditing source code and lists concrete rules to check, but it uses high-level directives like "Run the audit" without specifying tools, commands, or safe defaults. That vagueness lets an agent choose arbitrary tooling or perform installs/executables against the repository, which increases risk if the agent is allowed to act autonomously.
Install Mechanism
No install spec and no code files are present (instruction-only). This minimizes disk writes or bundled code, but also means the agent will need external tools (e.g., npm packages) at runtime; the skill doesn't mandate any particular third-party downloads.
Credentials
The skill requests no environment variables, credentials, or config paths. The declared requirements (Node.js, a React project) are proportionate to the stated purpose.
Persistence & Privilege
always is false and the skill does not request persistent system changes. Autonomous invocation is allowed (platform default) but the skill itself does not request elevated privileges or to modify other skills/config.
Assessment
This skill appears to do what it says (audit React code) and asks for nothing sensitive, but its instructions are intentionally high-level — they tell the agent to "run the audit" without specifying which tools, commands, or safe installation steps to use. Before installing or enabling it for autonomous use: (1) decide and pin the tooling the agent is allowed to run (e.g., a vetted CLI or npm package), (2) restrict the agent's ability to install arbitrary packages or execute unreviewed scripts, (3) run audits in an isolated environment or CI runner with read-only access to the repo, and (4) require manual approval for any network downloads or dependency installations. If you want stronger guarantees, ask the skill author to include explicit commands, an approved toolchain, or an install spec referencing well-known release artifacts.

Like a lobster shell, security has layers — review code before you run it.

latestvk972431enjbw3m7wk5vt2ykpdh84nex8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments