@json-render/react

Name: json-render/react
Author: vercel-labs

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill is highly vulnerable to arbitrary code execution, data

ThreatsCI SM CS BC S HITL

Behavior Analysis

Description verified — behavior matches claim

Claims to do

@json-render/react: React renderer that converts JSON specs into React component trees.

Actually does

This skill provides a React renderer (`@json-render/react`) that consumes JSON specifications and a component registry to build React component trees. It uses `zod` for schema validation and includes utilities for state management, event handling, and dynamic prop expressions. It can fetch JSON specs from API endpoints via `useUIStream`.

Threat Analysis

AI Agent Traps ↗Scanned 5/5/2026

Content InjectionPerception1 finding

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction4 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Namevercel-labs/json-render/react

Registrygithub

Version14873b8de451

PURLpkg:github/vercel-labs/json-render@14873b8de451?skill=react

Stars14,582

Installs1,700

Source

Repository ↗SKILL.md ↗

SHA-256f71bcff6320e...

SHA-11abc9bd5a40d...

MD555b9812f3439...

TLSHc902d974b413...

ssdeep192:ydDs7Jdw...

Size8,938 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/vercel-labs/json-render

1,700 installs

Skills.shDocs

npx skills add https://github.com/vercel-labs/json-render

1,300 installs

Assessments (3)

AI Agent Traps ↗

Arbitrary Code Execution via $computed expressionscriticalcommand execution

The `$computed` expression allows calling registered functions with resolved arguments. If the `functions` registry can be controlled by untrusted input (e.g., AI-generated spec), an attacker could register and execute arbitrary code, leading to command execution or data exfiltration.

90% confidenceline 123

{ "$computed": "fn", "args": { ... } }

Supply Chain Risk from External UI Streamhighsupply chain

The `useUIStream` hook allows streaming UI specifications from an external API endpoint. If this endpoint is compromised or untrusted, it could serve malicious UI definitions, leading to arbitrary code execution or data exfiltration through the rendered components.

80% confidenceline 259

`useUIStream` | Stream specs from an API endpoint

Direct AI Access to State Manipulation Actionsmediumtool poisoning

Built-in actions like `setState`, `pushState`, `removeState`, and `validateForm` are "injected into AI prompts" and handled automatically. This allows an AI (potentially manipulated) to directly alter application state or trigger validation without explicit declaration, which could lead to state corruption or unintended side effects.

70% confidenceline 150

Built-in Actions | The setState, pushState, removeState, and validateForm actions are built into the React schema and handled automatically by ActionProvider. They are injected into AI prompts without needing to be declared in catalog actions:

Potential for Resource Abuse via Dynamic Expressionsmediumresource abuse

Dynamic prop expressions, especially `$computed` functions and complex conditional logic (`$cond`, `$and`, `$or`), if not carefully implemented and rate-limited, could be exploited by a malicious spec to trigger excessive computation, leading to denial of service or resource exhaustion.

60% confidenceline 123

{ "$computed": "fn", "args": { ... } }

Cross-Site Scripting (XSS) via AI-generated JSON Specshighprompt injection

The system renders AI-generated JSON specs into React components. If string properties or `$template` expressions are not properly sanitized and escaped before rendering into HTML, an attacker could inject malicious scripts, leading to XSS.

80% confidenceline 3

description: "...rendering AI-generated specs."

Social Engineering via Malicious AI-Generated UImediumhuman social engineering

Since the system renders AI-generated specs into UIs, a malicious AI could be prompted to create deceptive or phishing interfaces. These UIs, if presented to a human overseer or end-user, could be used for social engineering attacks.

70% confidenceline 3

description: "...rendering AI-generated specs."

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/json-render/react.svg)](https://mondoo.com/ai-agent-security/skills/github/vercel-labs/json-render/react)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/vercel-labs/json-render/react"><img src="https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/json-render/react.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/vercel-labs/json-render/react.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow