ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

React Modernization

v1.0.0

Upgrade React apps by migrating class components to hooks, adopting React 18/19 concurrent features, running codemods, and adding TypeScript types.

0· 987·2 current·4 all-time
by@wpank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to provide guidance for migrating React apps and the SKILL.md contains migration patterns, examples, and upgrade notes. It does mention 'automated codemods' but does not include any codemod scripts or request unrelated credentials — the scope of required resources is consistent with a documentation/instruction skill.
Instruction Scope
The instructions are focused on code migration patterns and migration checklists. They do not instruct the agent to read system files, access environment variables, or exfiltrate data. Note: the skill references automated codemods but provides no codemod artifacts in the package — if the agent or user later fetches or runs codemods from external sources, that introduces additional risk not covered by this skill alone.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. README shows example install commands (npx clawhub install, and an npx add line pointing to a GitHub tree) but these are documentation snippets rather than an install script embedded in the skill. No downloads or extracted archives are included.
Credentials
The skill declares no required environment variables, credentials, or config paths. Nothing in the SKILL.md accesses secrets or unrelated environment variables.
Persistence & Privilege
The skill is not set to always:true and does not request persistent or cross-skill configuration. Model invocation is not disabled (the platform default) — this is expected for skills and is not itself a red flag here.
Assessment
This skill is documentation-only and does not bundle code or request credentials, so its immediate footprint is small. Two practical cautions: (1) The guide mentions automated codemods but does not include them — if you or the agent fetches codemods from third-party URLs, review those scripts before running them (run on a branch/backup, inspect the code, and prefer official repo releases). (2) README contains example npx commands (one referencing a raw GitHub tree URL) that look nonstandard — treat any npx/add/download commands as potentially executing external code and verify the source before running. Otherwise, the skill appears coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk971nd4t3tp6qyh3363xgpp00x80x6ep

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments