Skills
skills/vanman2024/ai-dev-marketplace/react-email-templates/Gen Agent Trust Hub

react-email-templates

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The script scripts/setup-preview-server.sh automatically installs npm packages (react-email, @react-email/components) and suggests installing others (express, ts-node). These packages are not from the explicitly trusted list of organizations provided in the security guidelines.
  • COMMAND_EXECUTION (LOW): The skill utilizes shell scripts (setup-preview-server.sh, validate-component.sh) to perform environment setup, package management, and file validation. These scripts are intended for local development use.
  • DYNAMIC_EXECUTION (LOW): The skill dynamically generates two TypeScript files (scripts/preview.ts and scripts/dev-server.ts) which are subsequently executed via ts-node for the development workflow.
  • DATA_EXPOSURE (LOW): The generated dev-server.ts contains a path traversal vulnerability in the /preview/:name route. The code uses path.join('.email-previews', ${req.params.name}.html) without sanitizing the name parameter, allowing an attacker to potentially read any .html file on the filesystem by using directory traversal sequences like ../../.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:19 PM