vercel-react-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFE
Full Analysis
- [Prompt Injection] (SAFE): Comprehensive analysis of SKILL.md and all rule files confirms the absence of instructions attempting to override agent behavior, bypass safety filters, or extract system prompts.
- [Data Exposure & Exfiltration] (SAFE): No hardcoded credentials (API keys, tokens) or sensitive local file paths (e.g., ~/.aws, ~/.ssh) were detected. Code examples involving cookies or localStorage are instructional and demonstrate standard client-side state management patterns.
- [Remote Code Execution] (SAFE): There are no patterns involving the download and execution of remote scripts (e.g., curl|bash). References to external packages are limited to standard npm libraries.
- [Obfuscation] (SAFE): No hidden content, multi-layer encoding, zero-width characters, or homoglyphs were found. The content is entirely human-readable and transparent.
- [Dynamic Execution] (SAFE): While the 'rendering-hydration-no-flicker' rule provides an example using 'dangerouslySetInnerHTML', it is used to demonstrate a recognized architectural pattern for preventing SSR hydration flicker. The code is static and does not involve the execution of untrusted external input.
- [Unverifiable Dependencies] (SAFE): Dependencies mentioned in the rule files (SWR, lru-cache, better-all) are standard in the React ecosystem. 'better-all' is maintained by a trusted developer associated with the Vercel Engineering organization, matching the skill's metadata context.
Audit Metadata