heroui-react
Pass
Audited by Gen Agent Trust Hub on Apr 1, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill includes instructions to prioritize HeroUI v3 patterns and disregard legacy v2 knowledge. This is identified as a legitimate scoping technique intended to ensure technical accuracy and does not represent a malicious attempt to override core agent safety protocols.
- [EXTERNAL_DOWNLOADS]: Scripts within the skill fetch documentation, MDX content, and source code from official vendor domains (v3.heroui.com, mcp-api.heroui.com) and the heroui-inc GitHub repository. These fetches are used solely for informational purposes and the retrieved content is not executed as code.
- [DATA_EXFILTRATION]: Outbound network requests made by the helper scripts include an 'app=react-skills' parameter. This is used for benign vendor analytics to track skill usage and does not involve the exfiltration of sensitive user data, environment variables, or credentials.
- [SAFE]: No instances of obfuscation, persistence mechanisms, privilege escalation, or unsafe credential handling were found in the analyzed files.
Audit Metadata