The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/init-expo.py performs extensive file system operations, including directory creation and file writing. It includes an --allow-outside flag that explicitly permits the agent to create or overwrite files outside the current working directory, which poses a risk of unauthorized modification of sensitive files if the agent is manipulated via prompt injection.
[DYNAMIC_EXECUTION]: The scaffolding script generates React Native code (.tsx) and configuration files by interpolating user-provided inputs (--name, --tabs) into string templates. There is no sanitization of the tabs names, which are used directly in component names and file paths. This could lead to code injection in the generated app or path traversal if a user provides a tab name containing directory navigation characters (e.g., ../../).
[EXTERNAL_DOWNLOADS]: The generated package.json includes dependencies from the official NPM registry, including Expo SDK, React Native, and Clerk. These are well-known and standard dependencies for the mobile development use case.
[DATA_EXPOSURE]: The skill generates patterns for handling authentication using Clerk, including session token management in lib/api.ts. While it uses standard environment variable patterns (EXPO_PUBLIC_CLERK_PUBLISHABLE_KEY), it establishes a framework for handling sensitive user credentials.

expo-architect