ai-sdk
Answer questions about the AI SDK and help build AI-powered features. Use when developers: (1) Ask about AI SDK functions like generateText, streamText, ToolLoopAgent, embed, or tools, (2) Want to build AI agents, chatbots, RAG systems, or text generation features, (3) Have questions about AI providers (OpenAI, Anthropic, Google, etc.), streaming, tool calling, structured output, or embeddings, (4) Use React hooks like useChat or useCompletion. Triggers on: "AI SDK", "Vercel AI SDK", "generateText", "streamText", "add AI to my app", "build an agent", "tool calling", "structured output", "useChat".
90
92%
Does it follow best practices?
Impact
76%
2.92xAverage score across 3 eval scenarios
Advisory
Suggest reviewing before use
Security
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.80). The skill explicitly instructs the agent to fetch and parse public third‑party documentation and model lists from ai-sdk.dev and the Vercel AI Gateway (e.g., fetching .md pages from https://ai-sdk.dev and running curl against https://ai-gateway.vercel.sh/v1/models), and to use that live content to choose models and drive behavior, which could enable indirect prompt injection.
W012: Unverifiable external dependency detected (runtime URL that controls agent)
What this means
The skill fetches instructions or code from an external URL at runtime, and the fetched content directly controls the agent’s prompts or executes code. This dynamic dependency allows the external source to modify the agent’s behavior without any changes to the skill itself.
Why it was flagged
Potentially malicious external URL detected (high risk: 0.80). The skill explicitly instructs fetching runtime content from https://ai-gateway.vercel.sh/v1/models and from ai-sdk.dev (e.g., https://ai-sdk.dev/docs/agents/building-agents.md) — remote calls the skill requires at runtime to determine model IDs and current API docs that directly influence model selection and generated code/instructions.