react-native

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes scripts/add-registry-component.js (and the usage in references/components.md: node .../scripts/add-registry-component.js ) which runs npx shadcn view on arbitrary registry URLs (defaulting to https://reactnativereusables.com/r/nativewind/), parses remote JSON, and then installs dependencies and writes files—clearly ingesting untrusted third-party content that can change tool behavior and project state.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The script scripts/add-registry-component.js invokes "npx shadcn@latest view " and by default fetches registry JSON from https://reactnativereusables.com/r/nativewind/ at runtime, then installs dependencies, writes files from that JSON, and may execute the fetched tool, so remote content directly controls code execution and project changes.