ClawHub

Frontend Composition Patterns

PassAudited by VirusTotal on May 12, 2026.

Overview

Type: OpenClaw Skill Name: composition-patterns Version: 1.0.0 The skill bundle is benign. All files are either metadata or documentation/instructional markdown explaining React composition patterns. The code examples provided are illustrative TypeScript React (tsx) and not intended for execution by the AI agent as shell commands. The `SKILL.md` and `README.md` files contain standard installation instructions for the skill itself, including `npx clawhub@latest install` and `npx add` commands that fetch from a seemingly legitimate GitHub repository (https://github.com/wpank/ai/tree/main/skills/frontend/composition-patterns). There is no evidence of malicious intent, data exfiltration, unauthorized execution, persistence mechanisms, or harmful prompt injection attempts against the agent.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI04: Agentic Supply Chain Vulnerabilities
What this means

If a user follows the alternate install command, they may install whatever content is currently on that branch rather than exactly the reviewed registry artifact.

Why it was flagged

The README offers a user-directed install path from a GitHub branch rather than a pinned immutable version. This is normal installation documentation, but users should verify the source before running it.

Skill content
npx add https://github.com/wpank/ai/tree/main/skills/frontend/composition-patterns
Recommendation

Prefer the reviewed registry version or a pinned/verified source, and inspect remote install targets before running npx commands.

NoteMedium Confidence
ASI09: Human-Agent Trust Exploitation
What this means

A user might give the skill extra trust based on an attribution that is not substantiated by the supplied metadata.

Why it was flagged

The skill includes a source attribution while the provided registry metadata lists the source as unknown and has no homepage. This does not show malicious behavior, but users should not rely on the attribution without verification.

Skill content
**Source:** Vercel Engineering
Recommendation

Treat the attribution as informational unless independently verified, and evaluate the guidance on its own merits.