Security risk report for @forgecat/vercel-labs_agent-skills_react-best-practices v0.0.8
Source Integrity
Low
Profile is sourced from Vercel Labs (vercel-labs/agent-skills), a legitimate, well-known organization; original repository and commit hash are declared.
Content is published under MIT license and documented as tested on Claude Code, Cursor, and Codex platforms; no supply-chain red flags.
Agent Intent
Low
Content is purely educational documentation of React/Next.js performance best practices; no instructions to manipulate the AI, ignore system prompts, read credentials, or exfiltrate data.
Code examples demonstrate correct vs. incorrect patterns for performance optimization; they are illustrative, not injected malicious instructions.
No guidance poisoning: the rules recommend well-known, legitimate libraries (SWR, Next.js built-ins, React hooks) and standard practices; no typosquatted packages, backdoored templates, or security-weakening defaults.
Details
Evidence
AGENTS.md is a structured performance guide with 40+ rules across 8 categories, each with clear explanations and code comparisons.
Example: 'Use SWR for Automatic Deduplication' recommends the official SWR library (https://swr.vercel.app) for client-side data fetching.
Example: 'Avoid Barrel File Imports' recommends Next.js's built-in optimizePackageImports feature and direct imports from legitimate libraries.
Permissions
Low
Profile declares no tools, MCP servers, or file/shell/network permissions; it is pure markdown documentation.
Skill is scoped to reading and analyzing React/Next.js code during development workflows; no excessive agency or high-risk tool categories requested.
Details
Evidence
Profile metadata: 'Dependencies: None'; no tool definitions or MCP server configurations.
Description: 'This skill should be used when writing, reviewing, or refactoring React/Next.js code'; authority is narrowly scoped to code review and generation.
MCP Risk
Low
No MCP servers are defined in the profile; the skill is a static markdown documentation artifact.
No binary execution, network access, or filesystem operations are declared or implied.
Details
Evidence
Profile contains only markdown files (AGENTS.md, README.md, rule files); no MCP server definitions or tool configurations.