integration-react-vite
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill analyzes untrusted user project files to plan and implement event tracking, creating a surface for indirect instructions to influence agent behavior.
- Ingestion points: User project source files selected for event tracking, including login and signup forms and API routes (references/basic-integration-1.0-begin.md).
- Boundary markers: Absent; no delimiters are used to separate user code from instructions.
- Capability inventory: File read/write access, shell command execution (linting/building), and MCP tool usage for dashboard management.
- Sanitization: Absent; file content is interpreted directly without escaping to identify code patterns.
- [COMMAND_EXECUTION]: The skill instructs the agent to run scripts defined in the project's configuration file.
- Evidence: In basic-integration-1.2-revise.md, the agent is directed to "run any linter or prettier-like scripts found in the package.json" on edited files.
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of official PostHog libraries from public package registries.
- Evidence: references/react.md identifies posthog-js and @posthog/react as required dependencies. These are official vendor resources.
Audit Metadata