Skip to content

Vercel AI SDK policy index

10 rules — 6 tool · 3 agent · 1 repo

Risk score = severity_weight × confidence × 100 (engine formula; weights: low=0.15, medium=0.40, high=0.70). Higher = worse.

Id SDK/ADK Scope Applies To Policy Severity Confidence Risk Source
1 VAI-001 Vercel AI tool vercel_ai_tool Vercel AI tool execute() spawns a subprocess high 0.85 59.5 shell_safety.yaml
2 VAI-002 Vercel AI tool vercel_ai_tool Vercel AI tool execute() evaluates code (eval / new Function) high 0.90 63.0 code_execution.yaml
3 VAI-003 Vercel AI tool vercel_ai_tool Vercel AI tool execute() fetches a model-controlled URL high 0.75 52.5 ssrf.yaml
4 VAI-004 Vercel AI tool vercel_ai_tool Vercel AI tool has no description low 0.90 13.5 tool_definition.yaml
5 VAI-005 Vercel AI tool vercel_ai_tool Vercel AI tool accepts untyped input medium 0.80 32.0 tool_definition.yaml
6 VAI-006 Vercel AI agent vercel_ai_agent Vercel AI agent wires a provider shell / computer / code-execution tool high 0.85 59.5 agent_safety.yaml
7 VAI-007 Vercel AI agent vercel_ai_agent Vercel AI agent tool loop has no explicit step bound low 0.60 9.0 agent_safety.yaml
8 VAI-008 Vercel AI agent vercel_ai_agent Vercel AI agent forces a provider execution tool every step medium 0.65 26.0 agent_safety.yaml
9 VAI-011 Vercel AI tool vercel_ai_tool Vercel AI tool HTTP call has no timeout high 0.60 42.0 network.yaml
10 VAI-012 Vercel AI repo vercel_ai Vercel AI project ships no agent-guidance doc (AGENTS.md/CLAUDE.md) low 0.90 13.5 repo_hygiene.yaml