shadcn-ui
Warn
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The file 'references/reference.md' contains URLs that use a suspicious double-protocol encoding trick ('http://https:%2F%2F...'). This obfuscation hides the true destination URL ('https://context7.com/...') from basic static analysis and can be used to bypass security filters.
- [REMOTE_CODE_EXECUTION]: The skill makes extensive use of the shadcn CLI, which is designed to fetch and execute component code from remote registries. The documentation specifically includes examples of installing components from arbitrary remote URLs (e.g., 'npx shadcn add https://acme.com/registry/navbar.json'), which is a significant execution vector for untrusted code.
- [COMMAND_EXECUTION]: The skill instructs the agent to execute numerous shell commands using npx, npm, and pnpm for project setup and component management across multiple frameworks including Next.js, Laravel, and Astro.
Audit Metadata