High-risk tools in React Native Dev
8 of the 15 tools in React Native Dev are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
boot_deviceExecuteBoot a simulator/emulator by id and wait until it is usable. No-op if already booted. For cold Android AVDs use the avd:<name> id from list_devices.
-
evaluate_jsExecuteExecute a JavaScript expression inside the running React Native app and return the result. Use to inspect state (Redux/Zustand stores, globals) or trigger behavior. Promises are...
-
install_appExecuteInstall a built app artifact on a booted device: a .app bundle (iOS simulator) or .apk (Android). Returns the app id for launch_app.
-
launch_appExecuteLaunch an installed app on a booted device by bundle id / package name.
-
open_urlExecuteOpen a URL on the device: custom schemes (myapp://...), universal links, or exp:// links. The primary way to drive app navigation from outside the app.
-
reload_appExecuteTrigger a full JS reload of the running React Native app (same as pressing
-
set_status_bar_demoExecuteSet a clean, deterministic status bar (9:41, full battery, full signal) for stable screenshots — or restore the real one with enabled: false.
-
terminate_appExecuteStop a running app. Succeeds (terminated: false) if the app was not running.
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.