react-native-best-practices

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflows explicitly instruct interacting with external public services and scripts — e.g., references/js-measure-fps.md tells users to install Flashlight via "curl https://get.flashlight.dev | bash", references/bundle-analyze-app.md/Emerge Tools describe uploading IPA/APK and reading X‑Ray insights, and references/bundle-library-size.md directs visiting bundlephobia.com or running npx bundle-phobia-cli — so the agent would fetch and be expected to read/act on untrusted third‑party outputs that can influence subsequent decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes an explicit runtime command that fetches and executes remote code ("curl https://get.flashlight.dev | bash") to install the Flashlight CLI, which would run external code during skill execution.