building-react-native-application
Fail
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The utility script
scripts/add-registry-component.jsfetches JSON data from user-provided URLs and uses it to write new source code files directly into thesrc/ui/directory. Furthermore, it automatically parses a list of dependencies from the fetched JSON and installs them using the local package manager (npm,pnpm,yarn, orbun). This creates a path for an attacker to deliver and execute malicious code by tricking a user or the agent into using a malicious registry URL. - [COMMAND_EXECUTION]: The
add-registry-component.jsscript employschild_process.execFileSyncto execute shell commands, includingshadcn@latest viewand various package manager installation commands. These executions are driven by external data retrieved from remote URLs. - [EXTERNAL_DOWNLOADS]: The skill facilitates downloading external content through the registry component script and encourages the installation of additional remote skills via
npx skills addcommands mentioned inSKILL.md.
Recommendations
- AI detected serious security threats
Audit Metadata