vercel-react-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Indirect Prompt Injection (SAFE): The rule 'rendering-hydration-no-flicker.md' recommends using 'dangerouslySetInnerHTML' to inject a script into the DOM using data from 'localStorage'. While this is a common performance pattern to prevent flickering in SSR apps, it technically introduces a potential XSS surface if 'localStorage' values are compromised. However, in the context of a performance guide, this is a technical risk of the resulting application code rather than a malicious skill behavior. Evidence: 1. Ingestion: localStorage in 'rendering-hydration-no-flicker.md'. 2. Boundary markers: Absent. 3. Capability: DOM script execution. 4. Sanitization: Absent.
- Unverifiable Dependencies & Remote Code Execution (SAFE): The skill references external packages 'better-all' and 'lru-cache'. These are standard utilities in the React ecosystem. The author, Shu Ding, is a known engineer at Vercel (a trusted organization), which permits a downgrade of this finding.
- Prompt Injection (SAFE): No instructions were found that attempt to override agent behavior, bypass safety filters, or reveal system prompts.
Audit Metadata