react-native-kms-module

The skill's stated purpose (envelope encryption using AWS KMS in a React Native context) is broadly aligned with its architecture. However, significant security concerns reduce its safety posture: (1) handling of AWS credentials in init() presents a credible exfiltration/compromise risk if credentials are exposed in app code or logs; (2) use of AES-256-ECB for local encryption is cryptographically weak and unsuitable for secure data protection; (3) data flow relies on correct in-memory handling and secure transmission, but explicit mitigations are not described; (4) TLS/pinning and robust credential lifecycle management are not clearly addressed. Overall, the skill is moderately risky (suspicious to MEDIUM risk) due to credential exposure potential and insecure encryption mode. Recommend redesign to use temporary, scoped credentials (e.g., Cognito/STS roles), remove direct credential handling from init(), and switch to authenticated encryption (AES-GCM) with proper IV management and explicit memory hygiene. If these changes are not feasible, treat as high-risk for production use.