ClawHub

React Native Clean Pattern

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only React Native/Expo scaffolding skill with disclosed development, logging, and configuration guidance, but users should handle secrets and telemetry carefully.

Install only if you want an Expo/React Native scaffolding guide that may generate code using Sentry, Firebase, bearer-token API clients, local token storage, and npm/bun dependencies. Before running install commands or accepting generated code, verify dependencies, keep real secrets out of committed .env files, use secure storage for tokens, and configure logs/Sentry to send only sanitized metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly directs users to create and use a .env file for app configuration in a mobile/Expo context, but it provides no guidance on secret classification, exclusion from version control, or the fact that many client-side env values are bundled into the shipped app. In this context, developers may place API keys, tokens, or service credentials into .env and assume they are protected, leading to accidental source-control exposure or disclosure in the mobile bundle.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The skill explicitly instructs the agent/user to run environment-modifying commands such as `npm install`/`bun install` and `npx expo start` during its activation flow without any approval gate, warning, or confirmation step. In an agent skill context, this is dangerous because package installation executes arbitrary lifecycle scripts from dependencies and can modify the local workspace or system state unexpectedly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The workflow instructs implementers to send bearer tokens on API requests and forward errors/breadcrumbs to Sentry, but it does not include any guidance on consent, minimization, or preventing sensitive request/response data from being captured by telemetry. In a production mobile app, this can lead to privacy leakage or credential exposure through logs and third-party monitoring if redaction is incomplete or misconfigured.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal