react-typescript
Security checks across malware telemetry and agentic risk
Overview
This appears to be an instruction-only React/TypeScript guidance skill with no executable code or install steps, though users should verify the unexplained purchase-related capability signal and unknown provenance.
This skill is low-risk as provided because it is documentation-only and has no code, install process, credentials, or external endpoints. Before installing, verify why the registry lists a purchase-related capability signal and consider preferring a version with a clear source or homepage.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the host platform treated this signal as a real permission, the skill could have more sensitive authority than its documentation explains.
A purchase-related capability signal is sensitive and not part of the stated React/TypeScript guidance purpose. The provided requirements list no credentials or config paths, so this is a boundary item to verify rather than evidence of an implemented purchase flow.
- can-make-purchases
Before installing, confirm that no purchase/payment capability is actually granted to this skill, or that it is disabled unless explicitly needed and approved.
Users have less ability to verify the author, upstream project history, or maintenance practices.
The skill has no upstream source or homepage listed, which limits provenance review. This is lower risk here because the skill is instruction-only and has no installable code or dependencies.
Source: unknown; Homepage: none
Prefer skills with clear source links when available, and review the included instructions before relying on them for important projects.