The Agent Skills Directory

[METADATA_POISONING]: The skill's YAML frontmatter in SKILL.md identifies the author as 'vercel', which conflicts with the platform's metadata identifying the actual provider. This is misleading as it implies official endorsement or authorship by Vercel Engineering.\n- [INDIRECT_PROMPT_INJECTION]: The skill is designed to analyze and refactor user-provided React code, creating a vulnerability surface where malicious instructions embedded in the user's source code could potentially influence the agent's behavior during the optimization process. Evidence in SKILL.md and AGENTS.md confirms the skill processes untrusted user input to suggest modifications.\n- [DYNAMIC_EXECUTION]: The rule 'rendering-hydration-no-flicker.md' suggests using 'dangerouslySetInnerHTML' to inject and execute an inline script for theme management. While this is a common development pattern for avoiding hydration flickers, it involves the generation and execution of dynamic scripts at runtime.\n- [EXTERNAL_DOWNLOADS]: The skill documentation in README.md and SKILL.md suggests installation via the 'clawhub' utility and references well-known external packages including 'swr', 'lru-cache', and 'better-all' from the npm registry. These are well-known resources in the React ecosystem and are considered safe sources.

react-best-practices