react-native-best-practices
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Remote Code Execution (CRITICAL): The file 'references/js-measure-fps.md' includes the command 'curl https://get.flashlight.dev | bash'. This pattern downloads and executes a shell script directly from a remote domain that is not included in the Trusted External Sources list. This constitutes an arbitrary code execution risk as the contents of the script are not verified prior to execution.
- External Downloads (MEDIUM): The skill references and installs multiple third-party dependencies from organizations not included in the trust list, such as Spotify ('com.spotify.ruler'), Shopify ('@shopify/flash-list'), and BAM ('flashlight'). While standard in the React Native ecosystem, these are unverifiable packages that could be subject to supply-chain attacks.
- Dynamic Execution (MEDIUM): In 'references/bundle-code-splitting.md', the skill provides instructions for configuring Re.Pack to perform remote code loading (code splitting). This pattern allows an application to fetch and execute JavaScript chunks from a remote CDN at runtime, which is a form of dynamic code execution that must be carefully managed to prevent the loading of malicious assets.
- External Downloads (INFO): The skill references '@rnx-kit/metro-serializer-esbuild'. This is associated with Microsoft, which is a Trusted GitHub Organization, and thus represents a lower risk profile.
Recommendations
- AI detected serious security threats
Audit Metadata