building-react-native-application

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's scripts/add-registry-component.js (and the adding-registry-components.md workflow) explicitly runs "shadcn view" and accepts registry URLs (defaulting to https://reactnativereusables.com/r/nativewind/) to fetch and parse registry-item JSON from public URLs, then installs dependencies and writes/transforms files from that untrusted third‑party content into the project, so fetched content is directly read and can materially change tool actions and code.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script scripts/add-registry-component.js runs at runtime and invokes "npx shadcn@latest view " (and will fetch JSON from URLs under https://reactnativereusables.com/r/nativewind/), causing remote packages to be executed and remote registry-item files to be fetched and written into the project—so these URLs are used at runtime to deliver code/content that the script executes or installs.