The Agent Skills Directory

[Data Exposure] (SAFE): No hardcoded secrets or unauthorized data access patterns detected. References to local storage and cookies are limited to legitimate client-side state management (e.g., theme toggling) as per standard Next.js patterns.
[Remote Code Execution] (SAFE): No patterns for downloading and executing untrusted remote code. References to external packages like swr, lru-cache, and svgo are for standard, well-known development tools and libraries.
[Indirect Prompt Injection] (LOW): The skill is intended to process user-provided code for review and refactoring. While this creates an ingestion surface for untrusted data, the skill itself provides static, safe guidelines. The risk level is low and inherent to the agent's task of code analysis.
[Obfuscation] (SAFE): All content is written in clear markdown and TypeScript. No encoding (Base64), zero-width characters, or homoglyph attacks were found.
[Privilege Escalation] (SAFE): The skill does not contain any instructions attempting to use sudo, modify system files, or bypass environment constraints.
[Dynamic Execution] (LOW): The rendering-hydration-no-flicker.md rule suggests using dangerouslySetInnerHTML to inject a small theme-loading script. This is a common performance optimization in React to prevent hydration flicker; the example uses a hardcoded, safe IIFE with no user input interpolation.

vercel-react-best-practices