react-grab
Warn
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions and helper scripts (
scripts/install.sh,scripts/add-agent.sh) usenpx -y grab@latestto install and initialize components. This results in downloading code from the public npm registry at execution time. - [REMOTE_CODE_EXECUTION]: The use of
npx -y grab@latestexecutes arbitrary code from a third-party package that is not from a recognized trusted vendor. Furthermore, the installation guides for Next.js and Vite recommend injecting a remote script fromunpkg.com/react-grabinto the application's global browser context. - [COMMAND_EXECUTION]: The skill includes shell scripts that perform environment checks (Node.js version validation) and execute package manager commands (
npm,yarn,pnpm,bun) to modify the local project structure.
Audit Metadata