shadcn
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses dynamic context injection in
SKILL.mdvia the!npx shadcn@latest info --json`` command. This results in the automatic execution of a shell command when the skill is loaded to provide the agent with project configuration data. - [REMOTE_CODE_EXECUTION]: The
addcommand documented incli.mdallows for the installation of components from arbitrary external URLs (e.g.,npx shadcn@latest add https://api.npoint.io/abc123). This capability can be exploited to download and execute untrusted code if the source is malicious. - [EXTERNAL_DOWNLOADS]: The skill workflow in
SKILL.mdandcli.mdinvolves fetching content from external URLs, such as component documentation and usage examples generated by thenpx shadcn@latest docscommand. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its processing of untrusted external data.
- Ingestion points: Documentation and example URLs fetched from the
docscommand, and registry item content viewed via theviewcommand. - Boundary markers: No boundary markers or 'ignore' instructions are provided for the ingested data.
- Capability inventory: High-privilege shell command execution via the
npx shadcn@latest addtool. - Sanitization: No sanitization or validation of the remote content is performed before processing.
Audit Metadata