@json-render/core

Name: json-render/core
Author: vercel-labs

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill allows arbitrary code execution, state modification, and

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

@json-render/core: Core package for schema definition, catalog creation, and spec streaming.

Actually does

This skill provides functions to define JSON schemas and catalogs, generate AI prompts based on these definitions, process JSONL spec streams, resolve dynamic expressions against a state model, build user prompts for AI, validate and auto-fix JSON specs, and create an in-memory state store. It uses `zod` for schema validation and handles various JSON data structures.

Threat Analysis

AI Agent Traps ↗Scanned 5/5/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction3 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namevercel-labs/json-render/core

Registrygithub

Version14873b8de451

PURLpkg:github/vercel-labs/json-render@14873b8de451?skill=core

Stars14,582

Installs1,100

Source

Repository ↗SKILL.md ↗

SHA-2567302b9a7ff77...

SHA-162c4443f3a92...

MD5abce85313760...

TLSH9012d774ac37...

ssdeep192:2QOwWWXn...

Size9,202 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/vercel-labs/json-render

1,100 installs

Skills.shDocs

npx skills add https://github.com/vercel-labs/json-render

824 installs

Assessments (3)

AI Agent Traps ↗

Arbitrary Function/Action Execution via Dynamic Expressionscriticalcommand execution

The skill allows dynamic execution of functions via `$computed` expressions and actions via `watch` fields. If the function/action names or their arguments can be controlled by an attacker, this could lead to arbitrary code execution or invocation of sensitive internal functions, as no explicit whitelisting or sandboxing is detailed.

90% confidenceline 80

{"$computed": "fnName", "args": { ... }}; "watch": { "/path": { "action": "loadCities", "params": { ... } } }

State Manipulation and Data Exposure via Two-Way Bindinghighdata exfiltration

The skill provides mechanisms for two-way binding (`$bindState`, `$bindItem`) and a built-in `setState` action, allowing modification of the application's state model. An attacker able to control input to components or trigger actions could write arbitrary data to any path in the state, potentially leading to data corruption, unauthorized state changes, or exfiltration of sensitive information.

90% confidenceline 212

{ "$bindState": "/path" }; { name: "setState", description: "Update a value in the state model" }; store.set(path, value)

Spec Manipulation via JSON Patchingmediumdata exfiltration

The skill processes JSONL streams containing RFC 6902 JSON Patch operations to progressively build or modify specifications. If an attacker can inject malicious patches into this stream, they could alter the structure or content of the generated UI/video specification, leading to unauthorized changes in the application's behavior or appearance.

70% confidenceline 69

createSpecStreamCompiler; applySpecStreamPatch; EditMode: "patch" | "merge" | "diff"

Prompt Injection via User Prompt Builder and Catalog Promptshighprompt injection

The `buildUserPrompt` and `catalog.prompt` functions construct prompts for AI models, incorporating user input, current specifications, and state. If an attacker can inject malicious instructions into the `prompt` argument, `currentSpec`, or `state` data, they could manipulate the AI's behavior, leading to unintended actions or outputs.

80% confidenceline 163

buildUserPrompt({ prompt: "...", currentSpec: spec, state: { ... } }); catalog.prompt({ customRules: [...] })

Content Injection via Template Expressionsmediumprompt injection

The `$template` expression allows string interpolation using values from the state model. If an attacker can control the values within the state model that are referenced by a template, they could inject arbitrary text or markup into the generated output, potentially leading to UI defacement or further injection attacks if the output is rendered unsafely.

70% confidenceline 88

{ "$template": "Hello, ${/user/name}!" }

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/json-render/core.svg)](https://mondoo.com/ai-agent-security/skills/github/vercel-labs/json-render/core)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/vercel-labs/json-render/core"><img src="https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/json-render/core.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/json-render/core.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow