react-native-expo

skills-sh:jezweb_claude-skills__react-native-expo

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 20, 2026

Findings

Score

100/100

LOW 5

Findings (5)

LOW

Unverified npx package execution EXTDL_008

external-download L202

Detects npx executing packages from unverified sources without pinned versions

npx @codemod/react-19

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L1049

Detects npx executing packages from unverified sources without pinned versions

npx @codemod/react-19

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Unverified npx package execution EXTDL_008

external-download L1498

Detects npx executing packages from unverified sources without pinned versions

npx @codemod/react-19

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.

LOW

Shell script file execution CMDEXEC_013

command-execution L1903

Detects execution of shell script files via bash/sh command or direct invocation

./scripts/check-rn-version.sh

FIX

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

FP?

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.

LOW

Unverified npx package execution EXTDL_008

external-download L2037

Detects npx executing packages from unverified sources without pinned versions

npx @codemod/react-19

FIX

Pin the npx package to an exact version (e.g., npx @scope/package@1.2.3). Unversioned npx commands can silently install a different or malicious package version.

FP?

Likely FP if the npx command targets a well-known package in documentation context, though unpinned versions are a real supply chain concern.