frontend-dev-guidelines
Warn
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill encourages the installation and use of suspicious npm packages 'react-hook-blog' and '@hookblog/resolvers/zod'. These packages appear to be typosquats or impersonations of the popular 'react-hook-form' library and its associated resolver package. This represents a significant supply chain risk as these packages are not established in the community and may contain malicious payloads.
- Evidence found in 'resources/complete-examples.md' (Example 5) and 'resources/routing-guide.md'.
- [REMOTE_CODE_EXECUTION]: By instructing users to import and execute code from unverifiable and potentially malicious dependencies ('react-hook-blog'), the skill introduces a risk of executing harmful code within the developer's environment or the final production application.
- [SUPPLY_CHAIN_RISK]: Throughout the documentation, standard terms like 'form' have been systematically replaced with 'blog' (e.g., 'blogState', 'useBlog', ''), which coincides with the promotion of the impersonated 'react-hook-blog' package. This pattern suggests a deliberate attempt to redirect developers toward unsafe dependencies.
Audit Metadata