Skills
skills/marclelamy/skills/shadcn/Gen Agent Trust Hub

shadcn

Pass

Audited by Gen Agent Trust Hub on Mar 23, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill utilizes dynamic context injection in SKILL.md to execute the official shadcn CLI 'info' command. This retrieves project configuration metadata and installed component lists upon skill initialization.
  • [PROMPT_INJECTION]: The skill is instructed to fetch and process external documentation and usage examples from remote URLs, which represents a surface for indirect prompt injection.
  • Ingestion points: Documentation and example URLs (SKILL.md, cli.md) fetched via the shadcn docs command.
  • Boundary markers: Absent.
  • Capability inventory: Shell command execution via the shadcn CLI (SKILL.md, cli.md).
  • Sanitization: Absent.
  • [EXTERNAL_DOWNLOADS]: The skill downloads component source code and registry information from established registries and official repositories using npx and project-specific package managers.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 23, 2026, 09:54 PM
Security Audit — agent-trust-hub — shadcn