ClawHub

React Best Practices

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only React/Next.js performance guide; it has a few examples that need security review before copying into production, but no hidden execution or data access was found.

Reasonable to install as a reference skill. Prefer the ClawHub install path or verify the GitHub source before using the remote npx command, and review generated code before accepting it. Be especially careful with inline scripts, raw session/cookie logging, and cross-request caches of user or authorization-sensitive data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The guidance explicitly recommends injecting an inline script with `dangerouslySetInnerHTML`, which normalizes a high-risk pattern in a general React best-practices skill. Even though the sample uses a constant string, this advice can be copied into broader contexts where interpolated data reaches the script body, creating an XSS path and weakening CSP by encouraging inline JavaScript.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance recommends cross-request caching of user records keyed only by `id` and frames it as a performance best practice without warning about data isolation, authorization boundaries, or stale data. In real applications, developers may reuse this pattern for user-scoped or permission-sensitive objects, causing one user's cached data to be served in a different authorization context or after revocation/updates, especially in shared server instances like Fluid Compute.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal