vercel-react-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOW
Full Analysis
- [NO_CODE] (SAFE): The skill package consists exclusively of Markdown files (.md). There are no executable scripts (.js, .sh, .py), configuration files, or binaries that perform actions on the host system. All logic resides within the AI agent's interpretation of the provided guidelines.
- [EXTERNAL_DOWNLOADS] (LOW): The documentation references external libraries and utilities such as
swr,better-all, andlru-cache. These references are educational or architectural recommendations. The link tobetter-all(github.com/shuding/better-all) is associated with a known Vercel engineer, and since the skill author is Vercel (a trusted organization), these references are considered safe under the [TRUST-SCOPE-RULE]. - [PROMPT_INJECTION] (SAFE): Analysis of the instructions and metadata found no attempts to bypass safety filters or override the agent's core instructions. Terms like 'CRITICAL' and 'IMPORTANT' are used correctly within the context of performance impact levels (e.g., 'Eliminating Waterfalls').
- [DATA_EXFILTRATION] (SAFE): No patterns indicating the access or transmission of sensitive data were found. Code examples involving
localStorageorcookiesare strictly focused on performance caching and preventing hydration flickering. - [INDIRECT_PROMPT_INJECTION] (INFO): The skill's primary purpose is to analyze and review user-provided React/Next.js code. While this creates an ingestion point for untrusted data, the skill has no 'write' or 'execute' capabilities (e.g., file modification, shell access, or network requests). The risk is negligible as the output is restricted to the agent's reasoning and responses.
Audit Metadata