react
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFE
Full Analysis
- Data Ingestion Surface: The skill is designed to process JSON-based element trees, which can originate from external sources or AI models.
- Ingestion points: The
Renderercomponent accepts aspecobject as input, and theuseUIStreamhook facilitates streaming specifications from API endpoints. - Capability inventory: The framework enables UI rendering, state mutations (e.g.,
setState), and event handling through a defined registry. - Sanitization: The skill uses
zodwithindefineCatalogto perform structural validation and type-checking on incoming props, which helps ensure the data conforms to expected formats before rendering. - Dynamic Component Resolution: The framework maps JSON
typefields to React components at runtime. - Mechanism: This dynamic mapping is limited to the
registryobject provided by the developer. This acts as an effective allowlist, preventing the JSON specification from rendering arbitrary or unauthorized components. - Dynamic Expression Resolution: Features like
$computedallow the specification to trigger logic during rendering. - Pattern: Expressions such as
{ "$computed": "functionName" }are used to resolve prop values. - Context: These calls are restricted to functions explicitly registered in the
functionsprop of theJSONUIProvider, ensuring that only developer-approved logic can be executed by the renderer.
Audit Metadata