react-native-security-review
Review React Native code for security vulnerabilities including PII/PHI storage, authorization bypass risks, secrets handling, token exposure, unvalidated identifiers, unsafe logging, mobile storage risks, and other security-critical mobile issues. Use when asked to check security, sensitive data handling, authentication, authorization, storage, logging, or network-related React Native changes.
React Native Security Review
Use this skill to review React Native code for mobile security risks, especially sensitive healthcare data handling and client-side authorization mistakes.
Workflow
- Inspect local repository guidance, security docs, package manifests, storage utilities, API clients, and authentication or navigation flows relevant to the requested change.
- Read changed files before broad scans. Use rg for risky APIs and then validate each candidate in context.
- Check sensitive data storage and logging: AsyncStorage, SecureStorage, MMKV, filesystem writes, crash logs, analytics payloads, console logs, and debug traces.
- Check authorization boundaries: never trust BIGN, member IDs, plan IDs, or other identifiers from the client, URL, route params, or query strings as authorization proof.
- Check secrets and token handling: no secrets in source, env files, logs, analytics, error messages, screenshots, tests, or committed mocks.
- Check network and platform security when relevant: certificate pinning, production domains, request headers, token injection, dependency native modules, and insecure transport.
- Report blocking findings first with file:line references and a concrete remediation path.
Review Focus
- PII, PHI, credentials, tokens, financial data, or member identifiers stored on device without an approved secure-store pattern.
- Authorization logic that trusts client-provided BIGN/member/plan identifiers or route parameters.
- Secrets committed in source, env templates, mocks, logs, analytics payloads, or tests.
- Sensitive data printed through console, crash reporting, analytics, or debugging helpers.
- Unvalidated deep links, URLs, query parameters, and WebView input.
- Insecure transport, missing certificate pinning where required, or bypassed platform security controls.
Output
- Lead with findings ordered by severity, with file and line references when possible.
- Separate blocking issues from high, medium, and low priority recommendations.
- Explain impact in mobile-user terms: security exposure, broken rollout, jank, inaccessible flow, analytics drift, build/runtime failure, or maintainability risk.
- Include specific remediation guidance. Keep code snippets small unless the user asks for an implementation.
- If no issues are found, say so clearly and note any meaningful test or verification gaps.
References
references/review-guide.md: Migrated detailed review guide from the originalmobile-ai-skillsagent definition. Read it when you need the full checklist, example report shape, or grep patterns.
Related Assets
dependency-management-reviewer
Review React Native and UHC Mobile dependency additions for maintenance status, React Native compatibility, New Architecture readiness, security vulnerabilities, bundle impact, license and ownership risk, justification, alternatives, and approved federation package usage. Use when package.json, lockfiles, native modules, or third-party package choices change.
Owner: optum-tech-compute
react-native-performance-review
Review React Native code for performance issues including unnecessary re-renders, inline functions, missing memoization, inefficient lists, context overuse, missing cleanup, and other mobile-specific performance problems. Use when asked to check performance, optimize React Native code, reduce jank, or review performance-critical mobile changes.
Owner: optum-tech-compute
uhc-env-secrets-reviewer
Review UHC Mobile environment configuration, secrets handling, Vault-to-Artifactory flows, react-native-config access, Firebase environment overrides, certificate pinning, production domain usage, local dev configuration, and secret exposure risks. Use when env files, build configuration, Firebase overrides, certificate pinsets, domains, tokens, or secrets-related mobile code changes.
Owner: optum-tech-compute
file-structure-auditor
Review React Native and UHC Mobile code for file structure, file naming, related-file grouping, folder organization, modal placement, utility extraction, and package boundary standards. Use when asked to audit directories, organize components, review screen/package layout, or clean up UHC Mobile file structure.
Owner: optum-tech-compute
mobile-accessibility-reviewer
Review mobile React Native UI and federated modules for accessibility labels, roles, hints, states, focus handling, announcements, disabled/loading/error states, dynamic text scaling, design-token contrast, keyboard and screen reader behavior, and approved accessibility package usage. Use when reviewing mobile UI, forms, navigation, modals, cards, buttons, or federated UI surfaces.
Owner: optum-tech-compute
uhc-analytics-reviewer
Review UHC Mobile analytics implementations for .analytics.ts isolation, track-prefixed functions, Adobe payload casing, analytics constants, screenNameMapEntries updates, route mapping, A/B test tracking, event placement, and federated analytics events. Use when adding or changing mobile analytics, tracking hooks, navigation tracking, or Adobe payloads.
Owner: optum-tech-compute

