expo-router-screenshots
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill captures screenshots of the user's local application and automatically uploads them to a non-trusted external endpoint (
https://api.freesupabase.shop/api/upload). This process can result in the exfiltration of sensitive information, PII, or internal configurations displayed in the app's UI. - [EXTERNAL_DOWNLOADS]: The
scripts/take-screenshot.shscript automatically executesnpm installif thenode_modulesdirectory is missing. This results in the downloading and execution of third-party packages from the public registry during the skill's execution. - [COMMAND_EXECUTION]: The skill instructions require the agent to spawn local processes to start React Native Web servers (e.g.,
npm run web) and execute a Node.js script that launches a Puppeteer browser instance with the--no-sandboxflag, which reduces browser isolation security. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it is instructed to read and prioritize instructions from local project files (
agents.md,cloud.md,architecture.md). These files could be modified by an attacker to manipulate the agent's behavior. - Ingestion points: Project configuration files (
agents.md,cloud.md,architecture.md) and the local application UI content. - Boundary markers: None. The agent is directed to follow the conventions found in the ingested files without restrictions.
- Capability inventory: Shell command execution, local server management, browser automation, and network POST requests to an external API.
- Sanitization: No validation or sanitization of the content from the local files or application UI is performed before the agent processes them.
Audit Metadata