Back to skill

Security audit

Expo Mobile Dev

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Expo mobile-app workflow, but it is broad enough to trigger on casual mobile requests and can persistently install many third-party agent skills.

Install only if you want an opinionated Expo workflow. Before running it, explicitly approve or skip the extra AI skill installation step, review the external skill sources, and require confirmation before EAS update/submit, metadata push, Pushy publish, or cloud deploy commands. Keep Apple `.p8` files, OAuth secrets, service-account JSON, SMS credentials, and app-store credentials out of git and shared chats; use a secret manager.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill is advertised as an Expo app scaffolding workflow, but it also instructs the agent to handle Apple OAuth setup, including reading developer credentials from environment variables and a local private key file to generate a client_secret JWT. That broadens the trust boundary from project bootstrapping into secret-handling and auth credential operations, which can cause an agent or user to expose sensitive material unexpectedly under the guise of routine setup.

Vague Triggers

High
Confidence
93% confidence
Finding
The trigger guidance is extremely broad and tells the agent to default to this skill for generic mobile-related mentions, even casual references. Over-broad auto-activation increases the chance that a high-impact workflow will run in irrelevant contexts, leading to unnecessary package installs, network access, third-party skill installation, and possible handling of credentials or region-specific deployment steps without clear user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.