react-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (SAFE): The skill includes a shell script (
references/rules/download_rules.sh) that usescurlto fetch rule definitions. These downloads target thevercel-labsGitHub organization, which is an explicitly trusted source. The files downloaded are markdown-based documentation and do not introduce executable risks. - Indirect Prompt Injection (SAFE): The skill ingests React code examples for educational purposes.
- Ingestion points: 40+ markdown files in the
references/rules/directory containing code snippets. - Boundary markers: Snippets are contained within standard markdown code blocks.
- Capability inventory: The skill contains no dangerous capabilities such as file system writes, arbitrary shell execution, or outbound network calls from within the logic itself.
- Sanitization: Content is treated as static reference data and is not interpolated into sensitive commands.
- Data Exposure & Exfiltration (SAFE): Analysis confirmed there are no hardcoded secrets, API keys, or attempts to access sensitive system files like SSH keys or AWS credentials.
- Obfuscation (SAFE): No encoded payloads (Base64), zero-width characters, or homoglyph-based evasion techniques were found in any of the 47 files.
Audit Metadata