react-change-review
Warn
Audited by Gen Agent Trust Hub on Apr 25, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses 'npx -y react-doctor@latest . --verbose --diff' to download and execute code from the NPM registry at runtime. This execution lacks version pinning or integrity checks, which could lead to the execution of untrusted or malicious versions of the tool.
- [COMMAND_EXECUTION]: The workflow instructs the agent to 'Inspect package scripts and run the cheapest relevant checks' such as linting or tests. This allows for the execution of arbitrary shell commands defined in the project's 'package.json' file, which can be easily modified by an attacker in a code change being reviewed.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from git diffs and pull requests while maintaining the capability to execute system commands.
- [PROMPT_INJECTION]: Ingestion points: The skill reads staged/unstaged changes, PR descriptions, and the content of modified React and TypeScript files in the 'Scope The Recent Changes' section.
- [PROMPT_INJECTION]: Boundary markers: The instructions do not define any delimiters or provide warnings to the agent to disregard instructions potentially embedded within the code changes being reviewed.
- [PROMPT_INJECTION]: Capability inventory: The skill has the ability to execute 'git' commands, 'npx' packages, and arbitrary scripts defined in the local 'package.json'.
- [PROMPT_INJECTION]: Sanitization: There is no evidence of validation or sanitization of the input data before it is used to determine which files to read or which scripts to run.
- [EXTERNAL_DOWNLOADS]: The skill fetches external code from the public NPM registry via npx during the review process.
Audit Metadata