The skill exposes native functions to untrusted web content
Claims to do
What are DOM Components?: DOM components allow web code to run verbatim in a webview on native platforms while rendering as-is on web. This enables using web-only libraries like `recharts`, `react-syntax-highlighter`, or any React web library in your Expo app without modification.
Actually does
This skill describes a feature in Expo that enables embedding web-based React components, including those utilizing web-only libraries, within native Expo applications via a webview (WKWebView/WebView) or rendering them directly on web platforms. It details configuration, data passing between native and web contexts, and integration with Expo Router, but the skill itself does not call external tools, access data, run commands, or contact URLs.
The skill explicitly allows exposing native async functions as props to the webview. This creates a powerful bridge where potentially untrusted web content can invoke native code, leading to arbitrary command execution, data manipulation, or exfiltration if the native functions are not securely implemented.
Pass async functions as props to expose native functionality to the DOM component:
The core functionality involves rendering arbitrary web code and integrating third-party web libraries within a webview. This introduces supply chain risks if external libraries are compromised, and potential Cross-Site Scripting (XSS) if the web content itself is untrusted.
DOM components allow web code to run verbatim in a webview on native platforms... This enables using web-only libraries like recharts, react-syntax-highlighter, or any React web library...
[](https://mondoo.com/ai-agent-security/skills/github/expo/skills/use-dom)<a href="https://mondoo.com/ai-agent-security/skills/github/expo/skills/use-dom"><img src="https://mondoo.com/ai-agent-security/api/badge/github/expo/skills/use-dom.svg" alt="Mondoo Skill Check" /></a>https://mondoo.com/ai-agent-security/api/badge/github/expo/skills/use-dom.svgSkills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.