Security risk report for @forgecat/vercel-labs_agent-skills_react-view-transitions v0.0.10
Source Integrity
Low
Profile originates from Vercel (vercel-labs), a known legitimate source with established open-source presence.
Content is published under MIT license and references official Vercel repositories and Next.js documentation.
Agent Intent
Low
Content is purely educational documentation on React View Transition API — no instructions to manipulate the AI, read credentials, exfiltrate data, or hide instructions.
Guidance is legitimate best-practice instruction for implementing native browser animations; no poisoned dependencies, security-weakening directives, or persistent biased rules that would steer future outputs toward attacker goals.
The note 'This document is mainly for agents and LLMs to follow' is a usage hint, not a manipulation attempt — it simply indicates the skill is optimized for AI-assisted workflows, which is appropriate for an agent skill.
Details
Evidence
All content focuses on React component APIs, CSS animation recipes, and Next.js integration patterns.
No references to reading ~/.ssh, ~/.aws, .env, or exfiltrating data.
No instructions to ignore system prompts, reveal hidden instructions, or install remote payloads.
No typosquatted packages, backdoored code templates, or directives to disable security defaults.
Permissions
Low
Profile declares no tools, hooks, or MCP servers — it is pure documentation with no executable authority.
Content is read-only guidance; the skill does not request file access, shell execution, network calls, or subagent delegation.
Details
Evidence
No 'tools' or 'mcp_servers' sections in the profile.
All code examples are React/JavaScript snippets for the user to copy into their own codebase — no automatic execution.
MCP Risk
Low
No MCP servers are defined in the profile.
No external binary execution, network access, or filesystem operations are declared or implied.
Details
Evidence
The 'MCP servers (untrusted data)' section is empty: '(none)'.