vercel-react-best-practices
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- Unverifiable Dependencies & Remote Code Execution (LOW): The skill references several third-party libraries in its code examples (e.g., 'better-all', 'swr', 'lru-cache'). While these are reputable packages, they constitute external dependencies. The documentation also suggests running 'npx svgo' for SVG optimization. Per the [TRUST-SCOPE-RULE], these references are categorized as LOW severity due to the trusted nature of the Vercel organization.
- Indirect Prompt Injection (LOW): The skill is intended to be used by an agent to review or refactor code, creating a surface for indirect prompt injection. 1. Ingestion points: User source code files (.tsx, .js) provided to the agent for optimization. 2. Boundary markers (absent): No specific delimiters or instructions are provided to ignore instructions embedded in user code. 3. Capability inventory: The agent typically possesses the ability to write files or suggest code changes. 4. Sanitization (absent): No explicit sanitization of user-provided code is mentioned.
- [SAFE] (SAFE): All provided code snippets and architectural patterns are legitimate engineering best practices for React and Next.js applications.
Audit Metadata