Security Audit
react-native-best-practices
github.com/callstackincubator/agent-skillsTrust Assessment
react-native-best-practices received a trust score of 85/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 0 medium, and 1 low severity. Key findings include Unpinned `npx` commands in examples.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on May 1, 2026 (commit ace14e40). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| LOW | Unpinned `npx` commands in examples The skill provides `npx` commands (`npx react-native bundle`, `npx source-map-explorer`) as examples for users to run. These commands do not specify a version, which means `npx` will fetch the latest available version from npm. This introduces a supply chain risk, as a malicious update or typosquatting attack on these packages could lead to the execution of arbitrary code on the developer's machine. While the 'Security Notes' section advises 'prefer version-pinned tooling', the examples themselves do not follow this best practice, potentially leading users to execute unpinned versions. Update the `npx` commands to explicitly pin the versions of `react-native` and `source-map-explorer` (e.g., `npx react-native@0.73.0 bundle ...` or `npx source-map-explorer@2.5.0 output.js`). Alternatively, add a prominent note directly above the commands reminding users to pin versions. | Static | SKILL.md:68 |
Scan History
Embed Code
[](https://skillshield.io/report/fe24f8275f2933a7)
Powered by SkillShield