rn-skia
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill provides instructions to install official packages from trusted vendors, including @shopify/react-native-skia and react-native-reanimated. These are industry-standard libraries used for graphics and animations in React Native applications.
- [PROMPT_INJECTION]: The skill features numerous components (e.g., Text, Paragraph, and TextPath) that render user-supplied text or process external data streams (e.g., audioData). This creates a surface for indirect prompt injection where maliciously crafted input data could be used to influence the agent's context.
- Ingestion points: File 'references/text-fonts.md' (Text, Paragraph, TextPath props); File 'references/advanced-patterns.md' (audioData in WaveformVisualizer).
- Boundary markers: No boundary markers or 'ignore' instructions are used to delimit untrusted data in the prompt interpolation templates.
- Capability inventory: The skill is restricted to UI rendering and does not include any scripts or subprocess calls capable of file system access, network operations, or shell execution.
- Sanitization: No input validation or output escaping is demonstrated in the provided rendering code snippets.
Audit Metadata