ClawHub
Back to skill
v1.0.0

React Best Practices

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:32 AM.

Analysis

This is mostly an instruction-only React guidance skill, but it makes official-sounding Vercel authorship claims that are not supported by the provided provenance and conflict with a third-party GitHub install path.

GuidanceReview this as a third-party React/Next.js best-practices guide unless you can independently confirm the Vercel provenance. The visible content is instruction-only and appears scoped to performance guidance, but do not rely on the official-sounding attribution without verification.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation
SeverityMediumConfidenceMediumStatusConcern
SKILL.md
React and Next.js performance optimization guidelines from Vercel Engineering... author: vercel

This official-sounding attribution matters because the supplied metadata lists the source as unknown and the README includes a third-party GitHub install path, so the artifacts do not substantiate the Vercel authorship claim.

User impactA user or agent may give the guidance more authority than warranted and allow automated refactors based on an unverified official-source claim.
RecommendationVerify the skill's provenance against an official Vercel source before relying on the attribution; otherwise treat it as third-party guidance.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
README.md
npx add https://github.com/wpank/ai/tree/main/skills/frontend/react-best-practices

The README documents a user-directed install from a GitHub path that is not the claimed Vercel source; this is not automatic execution, but it is relevant provenance users should notice.

User impactInstalling from the documented third-party path could bring in content that differs from what a user expects from the Vercel attribution.
RecommendationPrefer a trusted registry/source, review the repository contents before installation, and pin to a specific reviewed version or commit when possible.