react-native
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): In 'references/js-measure-fps.md', the skill recommends installing the 'Flashlight' tool using 'curl https://get.flashlight.dev | bash'. This pattern is a critical security risk because it executes an unverified script from a non-trusted domain directly in the user's shell. The finding is downgraded from CRITICAL to HIGH as it is a standard installation method for a tool required for the skill's primary performance-measurement purpose.
- [EXTERNAL_DOWNLOADS] (LOW): The skill suggests installing numerous third-party dependencies from sources not on the trusted list (e.g., Bam, Spotify, Shopify, Nandorojo). Evidence includes Gradle plugins from Spotify and npm packages like '@shopify/flash-list' and 'react-native-quick-crypto'.
Recommendations
- AI detected serious security threats
Audit Metadata