shadcn
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- Dynamic Context Injection: The skill employs the
!commandsyntax to executenpx shadcn@latest infoupon loading. This automatically populates the agent's context with project-specific details such as import aliases, Tailwind configuration, and installed components. - Command Execution via CLI: Instructions guide the agent to perform project tasks using the
shadcnCLI through package runners likenpx,pnpm dlx, orbunx. This is the standard operational model for adding and managing UI components. - External Documentation Retrieval: The workflow involves generating documentation and example URLs via the CLI, which the agent then fetches. This ensures the assistant uses current API references and best practices directly from official registries and repositories.
- Indirect Prompt Injection Surface: The skill is designed to ingest and process data from external documentation URLs and registry files. While this represents a potential surface for indirect prompt injection if those sources were compromised, the instructions prioritize official vendor-controlled domains and repositories.
Audit Metadata