react-doctor
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [External Downloads] (MEDIUM): The skill instructs the agent to run
npx -y react-doctor@latest, which downloads and executes code from the npm registry at runtime. - Evidence: Found in the usage section of
SKILL.md. - Risk: The package
react-doctoris not associated with a trusted organization or repository. The use of@latestensures the most recent version is used, which could be exploited in a supply chain attack to execute malicious code on the local system. - [Command Execution] (LOW): The skill executes a command-line interface (CLI) tool with access to the local filesystem (
.). - Evidence:
npx -y react-doctor@latest . --verbose --diff. - Risk: While intended for code analysis, the tool has the capability to read any file in the directory it is executed in.
Audit Metadata