react-modernization

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's "Run React Codemods" section explicitly instructs running npx jscodeshift and npx codemod with transforms hosted on raw.githubusercontent.com and other third‑party codemod packages, which fetches and executes public GitHub/third‑party code that the agent will ingest and act on.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The codemod commands invoke npx jscodeshift with remote transform scripts hosted on raw.githubusercontent.com (e.g., https://raw.githubusercontent.com/reactjs/react-codemod/master/transforms/rename-unsafe-lifecycles.js and similar URLs), which are fetched at runtime and executed as code, so they are runtime external dependencies that execute remote code.