Back to skill

Security audit

React Component Generator

Security checks across malware telemetry and agentic risk

Overview

This is a small React component file generator with some overstated documentation, but no evidence of hidden, destructive, credential-seeking, or network behavior.

Install only if you want a very simple shell-based React .jsx generator. Use it in the intended project directory, choose simple component names, and check for existing files before running it because it may overwrite a same-named .jsx file. Do not rely on the advertised TypeScript, class component, hook, or HOC support unless the implementation is updated.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest description in _meta.json is overly broad and does not clearly bound when the skill should be selected. In agentic environments, vague activation metadata can cause the skill to trigger outside its intended frontend React use case, increasing the chance of inappropriate invocation, prompt-routing errors, or misuse in unrelated coding tasks.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The description forces Chinese output ('生成 React 组件') without indicating that language selection depends on user preference or system locale. This can cause mismatches with user expectations, reduce usability, and in multi-skill routing contexts may lead to incorrect activation or confusing outputs, though the direct security impact is limited.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.