react-doctor
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npxto fetch thereact-doctorpackage from the npm registry (npmjs.com) at runtime. - [REMOTE_CODE_EXECUTION]: The instruction
npx -y react-doctor@latestperforms a download-and-execute operation, running remote code on the local system without prior verification or a locked version hash. - [COMMAND_EXECUTION]: The workflow requires the execution of a shell command (
npx -y react-doctor@latest . --verbose) that operates on the project's root directory, granting the external tool access to the local codebase.
Audit Metadata