Skills
skills/kaiboo404/agent-skills-with-project-template/react-native-best-practices/Gen Agent Trust Hub

react-native-best-practices

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [REMOTE_CODE_EXECUTION] (CRITICAL): The reference file references/js-measure-fps.md explicitly instructs the user to run curl https://get.flashlight.dev | bash. This pattern of piping a remote script directly into a shell from an untrusted source is a severe security risk.
  • [REMOTE_CODE_EXECUTION] (HIGH): The skill provides a guide for remote code loading via @callstack/repack in references/bundle-code-splitting.md. It demonstrates how to fetch and execute JavaScript bundles from a remote CDN at runtime, creating a major vulnerability if the delivery mechanism or CDN is compromised.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The documentation encourages the installation of various external dependencies from organizations not identified as trusted (e.g., Shopify, Callstack, Software Mansion, Bam.tech). These include packages like @shopify/flash-list, react-native-reanimated, and react-native-performance.
  • [COMMAND_EXECUTION] (LOW): The skill contains various shell commands for build processes, such as gradlew, xcodebuild, and npx react-native bundle, which are standard for mobile development but require execution of complex scripts on the developer's environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 17, 2026, 09:48 PM