react-grab

Warn

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructions and helper scripts (scripts/install.sh, scripts/add-agent.sh) use npx -y grab@latest to install and initialize components. This results in downloading code from the public npm registry at execution time.
  • [REMOTE_CODE_EXECUTION]: The use of npx -y grab@latest executes arbitrary code from a third-party package that is not from a recognized trusted vendor. Furthermore, the installation guides for Next.js and Vite recommend injecting a remote script from unpkg.com/react-grab into the application's global browser context.
  • [COMMAND_EXECUTION]: The skill includes shell scripts that perform environment checks (Node.js version validation) and execute package manager commands (npm, yarn, pnpm, bun) to modify the local project structure.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 17, 2026, 07:06 AM
Security Audit — agent-trust-hub — react-grab