expo-liquid-glass
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill encourages the installation of several Node.js packages that are either non-existent or reference future-dated software ecosystems (e.g., '@callstack/liquid-glass', 'expo-glass-effect').
- Evidence: Mentions of
npx expo install @callstack/liquid-glassandexpo-glass-effectfor iOS 26 support. - Risk: Dependency confusion/typosquatting. If these packages are not official and have not been registered by the claimed organizations, an attacker could register them to execute arbitrary code during the installation process.
- COMMAND_EXECUTION (LOW): The skill provides various shell commands for package management and project setup.
- Evidence:
npx expo install @expo/ui,npm install @callstack/liquid-glass, andnpx expo install expo-router@next. - Context: While these are standard development commands, their use with unverified/future-dated packages increases the overall risk profile.
- METADATA_POISONING (MEDIUM): The skill contains highly misleading metadata regarding technical requirements and external references.
- Evidence: References to iOS 26, Xcode 26, and WWDC 2025 sessions (e.g.,
wwdc2025/280) which do not exist at the time of analysis. - Risk: This can cause an agent to make incorrect assertions about platform capabilities or safety, potentially leading to the adoption of insecure or unverified workaround libraries.
Audit Metadata