Skills
skills/cedmandocdoc/awesome-skills/react-native/Gen Agent Trust Hub

react-native

Warn

Audited by Gen Agent Trust Hub on Mar 25, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/add-registry-component.js uses execFileSync to run npx shadcn and npm install. These commands are executed with arguments derived from external registry data, potentially allowing for arbitrary code execution via npm lifecycle scripts.
  • [REMOTE_CODE_EXECUTION]: The skill facilitates downloading and installing code and dependencies from remote sources. The add-registry-component.js script fetches JSON definitions from URLs and proceeds to write the included source code to the project and install associated packages.
  • [EXTERNAL_DOWNLOADS]: The documentation and helper scripts encourage fetching project resources from third-party registries like reactnativereusables.com.
  • [DATA_EXFILTRATION]: The add-registry-component.js script lacks path validation when writing files from remote registry JSON; the target field can be used to perform path traversal and overwrite files outside the intended project scope.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its registry component script. 1. Ingestion points: scripts/add-registry-component.js fetches remote JSON via shadcn view. 2. Boundary markers: Absent. 3. Capability inventory: execFileSync (npm install), fs.writeFileSync. 4. Sanitization: Only simple regex-based string replacements are performed on the remote content.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 25, 2026, 10:51 AM