rn-upgrade
Warn
Audited by Snyk on Mar 29, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 1.00). This skill explicitly instructs the agent to fetch and analyze public GitHub release notes (https://github.com/facebook/react-native/releases and https://github.com/facebook/react-native/releases/tag/v{target}), raw diffs from raw.githubusercontent.com (rn-diff-purge), and the Upgrade Helper UI, all of which are open/public third-party content that the agent must interpret to determine and apply upgrade actions.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly constructs and fetches the rn-diff-purge raw diff at runtime from https://raw.githubusercontent.com/react-native-community/rn-diff-purge/diffs/diffs/{current}..{target}.diff and uses the fetched diff to determine and apply native code changes, meaning remote content directly controls what the agent does.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata