vercel-react-best-practices

Pass

Audited by Gen Agent Trust Hub on Mar 13, 2026

Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
  • [PROMPT_INJECTION]: The skill defines rules for the agent to analyze and modify user-provided code, creating a surface for indirect prompt injection where malicious instructions could be embedded in analyzed files to influence agent behavior.
  • Ingestion points: User-provided React/Next.js source code (SKILL.md).
  • Boundary markers: None provided in the instructions to separate code data from processing logic.
  • Capability inventory: The agent is tasked with refactoring existing code and generating new components based on the provided rules (AGENTS.md).
  • Sanitization: No mechanisms for sanitizing or validating external content are defined.
  • [NO_CODE]: The skill consists entirely of Markdown files (SKILL.md, AGENTS.md, and the rules/ directory). No executable scripts (.js, .py, .sh), binaries, or automation configurations are included.
  • [SAFE]: The optimization guidelines (e.g., avoiding waterfalls, bundle size reduction) align with industry standard best practices for React and Next.js. References to external resources point to well-known technology domains such as react.dev and nextjs.org. The authorship discrepancy (metadata citing 'vercel' while the uploader is 'Charlie85270') appears to be a source attribution for the documentation content rather than a malicious impersonation attempt.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 13, 2026, 05:46 PM
Security Audit — agent-trust-hub — vercel-react-best-practices