ai-sdk
Answer questions about the AI SDK and help build AI-powered features. Use when developers: (1) Ask about AI SDK functions like generateText, streamText, ToolLoopAgent, embed, or tools, (2) Want to build AI agents, chatbots, RAG systems, or text generation features, (3) Have questions about AI providers (OpenAI, Anthropic, Google, etc.), streaming, tool calling, structured output, or embeddings, (4) Use React hooks like useChat or useCompletion. Triggers on: "AI SDK", "Vercel AI SDK", "generateText", "streamText", "add AI to my app", "build an agent", "tool calling", "structured output", "useChat".
90
92%
Does it follow best practices?
Impact
76%
2.92xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Security
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.90). The skill's instructions in SKILL.md and references/ai-gateway.md explicitly direct the agent to fetch and read public third-party content (e.g., searching ai-sdk.dev/docs and running curl against https://ai-gateway.vercel.sh/v1/models) which the agent must interpret to choose models and drive tool behavior, exposing it to untrusted public web content that can influence actions.
W012: Unverifiable external dependency detected (runtime URL that controls agent)
What this means
The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.
Why it was flagged
Potentially malicious external URL detected (high risk: 0.70). The skill explicitly instructs runtime fetches of external docs and model lists (e.g., fetching https://ai-sdk.dev/docs/agents/building-agents.md and curling https://ai-gateway.vercel.sh/v1/models) which are used to determine model IDs and authoritative behavior, meaning remote content can directly influence agent prompts/decisions.