ClawHub

react-best-practices

Security checks across malware telemetry and agentic risk

Overview

This documentation-only React skill does not execute code, but some “correct” examples could lead an agent to add unsafe session logging, inline scripts, or cross-request user caching.

Review before installing, especially if agents may apply the examples automatically. Do not log raw session cookies, keep inline hydration scripts static and CSP-compatible with no untrusted interpolation, and only cache user data with explicit authorization, tenant scoping, TTLs, and invalidation rules.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly recommends injecting a synchronous inline script as a best-practice pattern but does not mention the security tradeoffs, especially CSP incompatibility, integrity concerns, and the risk that future edits may interpolate untrusted data into the script body. In a broadly reused React/Next.js guidance skill, this can normalize a dangerous pattern and lead downstream users to copy it into security-sensitive contexts without proper safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guidance explicitly demonstrates collecting and logging a session cookie value together with the user-agent in a background task, but provides no warning about minimizing, redacting, or lawfully handling sensitive identifiers. Session cookies can be authentication-related secrets or stable identifiers, so normalizing this pattern in a best-practices skill could encourage unsafe telemetry, privacy violations, or accidental leakage into logs and downstream analytics systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance recommends cross-request in-memory caching of user records keyed only by user ID and emphasizes persistence across requests, but it does not warn about tenant/user isolation, authorization revalidation, cache scoping, or the risk of serving stale sensitive data across sessions. In a React/Next.js best-practices skill, this omission is more dangerous because developers may copy the pattern directly into authenticated endpoints and assume it is generally safe, increasing the chance of privacy leaks or broken access control in multi-user applications.

Unvalidated Output Injection

High
Category
Output Handling
Content
{children}
      </div>
      <script
        dangerouslySetInnerHTML={{
          __html: `
            (function() {
              try {
Confidence
93% confidence
Finding
dangerouslySetInnerHTML={

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal