shadcn-ui
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill uses multiple bash commands to initialize projects and manage components, such as 'npx shadcn@latest init' and 'pnpm dlx shadcn@latest add'.
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to execute remote code via the shadcn CLI, which fetches component definitions and logic from external registries like ui.shadcn.com and custom namespaced registries.
- [EXTERNAL_DOWNLOADS]: The skill downloads code, styles, and configurations from various remote URLs, including official and custom component registries.
- [EXTERNAL_DOWNLOADS]: The 'reference.md' file contains obfuscated URLs using percent encoding ('%2F') to represent protocol separators. These URLs point to context-serving domains and were likely encoded to avoid detection by simple text scanners.
Audit Metadata