stream-react
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches and installs standard React/Next.js components and official Stream SDKs from trusted sources (npmjs.com, GetStream's registry). These operations are consistent with the skill's stated purpose of project scaffolding.
- [EXTERNAL_DOWNLOADS]: Offers to install optional development skill packs from trusted organizations (Vercel Labs, Anthropic) only after explicit user disclosure and consent, as defined in Task A.2.
- [COMMAND_EXECUTION]: Executes shell commands via npm, npx, and the Stream CLI to initialize projects, manage dependencies, and configure Stream applications. These commands are scoped to the project environment and user-authorized workflows.
- [CREDENTIALS_UNSAFE]: Appropriately manages Stream API credentials by using the local Stream CLI to write to a
.envfile. The skill enforces strict rules (RULES.md) that prevent the AI agent from reading or editing this file, and ensures it is properly gitignored. - [PROMPT_INJECTION]: The skill uses a 'docs-first' protocol (references/DOCS.md), requiring the agent to fetch current documentation before implementing features. This prevents the use of stale or insecure patterns from training data.
Audit Metadata