mobile-migrate
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill uses 'pnpm dlx create-expo-app@latest' which fetches and executes code from the npm registry at runtime without manual verification.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): Multiple npm packages (e.g., nativewind, convex, clerk) are installed without version locks, increasing susceptibility to supply chain attacks.\n- [COMMAND_EXECUTION] (LOW): The skill runs broad shell commands for file system management (mkdir, touch) and project initialization.\n- [PROMPT_INJECTION] (LOW): (Mandatory Evidence Chain) 1. Ingestion: 'rg' command reads local file paths from 'apps/web'. 2. Boundaries: None. 3. Capability: File creation ('mkdir', 'touch') and workspace modification. 4. Sanitization: None. Malicious file names in the web project could potentially influence the scaffolding logic.
Recommendations
- AI detected serious security threats
Audit Metadata