High-risk tools in React Native
15 of the 44 tools in React Native are classified as high risk. This page profiles those tools specifically, with recommended policy actions and the attack patterns that target them.
Every operation listed below is an action PolicyLayer recommends controlling at the transport layer. Open any tool to see the full profile, risk score, and YAML policy snippet.
Tools at high risk
-
evaluate_scriptExecuteRun JS in React Native app context (not WebView). Returns JSON result. For WebView JS, use webview_evaluate_script. Use measureView(uid) for coords.
-
input_keyExecuteSend key event to device (Return, Backspace, ENTER, BACK, etc.).
-
open_deeplinkExecuteOpen deep link on simulator/device. Navigate to screens via URL scheme.
-
press_buttonExecutePress hardware button (HOME, BACK, LOCK, VOLUME, etc.).
-
scroll_until_visibleExecuteScroll until RN element matching selector becomes visible. For long lists and off-screen elements. After scrolling, use query_selector to get the element position for tap.
-
set_network_mockExecuteAdd network mock. Matching XHR/fetch return mock without hitting network.
-
set_orientationExecuteSet device orientation to portrait or landscape. iOS: simulator only.
-
start_render_highlightExecuteShow visual re-render overlay on device. Highlights re-rendering components with count badges.
-
start_render_profileExecuteStart render profiling. Tracks mounts, re-renders, and unnecessary renders.
-
start_video_recordingExecuteStart screen recording. Call stop_video_recording to save.
-
swipeExecuteSwipe from (x1,y1) to (x2,y2) in points. Get coordinates from query_selector. For scrolling and drawers.
-
switch_keyboardExecuteSwitch keyboard language on simulator/emulator. Use before input_text for correct layout.
-
tapExecuteTap at (x,y) in points. Get coordinates from query_selector (pageX/pageY). For WebView DOM elements, use webview_evaluate_script instead. Long press via duration param.
-
webview_evaluate_scriptExecuteRun JS inside a WebView (DOM query, click, read text, etc). Use this instead of tap for any WebView content — tap cannot target DOM elements. Get webViewId via evaluate_script w...
-
webview_tapExecuteTap a DOM element inside a WebView using native tap. Resolves CSS selector to screen coordinates via getBoundingClientRect + WebView native position, then taps via idb/adb. Use ...
Attacks that target this class
High-risk tools in any server share these documented attack patterns. Each links to the full case and the defensive policy.