vercel-react-best-practices
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill defines rules for the agent to analyze and modify user-provided code, creating a surface for indirect prompt injection where malicious instructions could be embedded in analyzed files to influence agent behavior.
- Ingestion points: User-provided React/Next.js source code (SKILL.md).
- Boundary markers: None provided in the instructions to separate code data from processing logic.
- Capability inventory: The agent is tasked with refactoring existing code and generating new components based on the provided rules (AGENTS.md).
- Sanitization: No mechanisms for sanitizing or validating external content are defined.
- [NO_CODE]: The skill consists entirely of Markdown files (SKILL.md, AGENTS.md, and the rules/ directory). No executable scripts (.js, .py, .sh), binaries, or automation configurations are included.
- [SAFE]: The optimization guidelines (e.g., avoiding waterfalls, bundle size reduction) align with industry standard best practices for React and Next.js. References to external resources point to well-known technology domains such as react.dev and nextjs.org. The authorship discrepancy (metadata citing 'vercel' while the uploader is 'Charlie85270') appears to be a source attribution for the documentation content rather than a malicious impersonation attempt.
Audit Metadata