vercel-react-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- COMMAND_EXECUTION (SAFE): Includes standard build-time commands like 'npx svgo'. No evidence of arbitrary command injection or malicious shell piping.
- REMOTE_CODE_EXECUTION (SAFE): Mentions reputable libraries like 'swr' and 'better-all'. No patterns of downloading or executing untrusted code from unknown sources.
- DATA_EXFILTRATION (SAFE): The skill demonstrates how to cache 'localStorage' and 'document.cookie' for performance. This data is handled locally and no exfiltration patterns to external domains were identified.
- DYNAMIC_EXECUTION (LOW): Rule 'rendering-hydration-no-flicker.md' recommends using 'dangerouslySetInnerHTML' to inject a synchronous script. This is a common performance pattern but represents a high-privilege API that should be used with caution.
- INDIRECT_PROMPT_INJECTION (LOW): The skill provides templates that, if applied to user-controlled data without sanitization, could lead to XSS vulnerabilities. Evidence: (1) Ingestion: theme-wrapper component (rules/rendering-hydration-no-flicker.md); (2) Boundaries: Absent; (3) Capability: dangerouslySetInnerHTML script injection; (4) Sanitization: Absent.
Audit Metadata