The Agent Skills Directory

[SAFE]: The skill utilizes dynamic context injection in SKILL.md via the !command`` syntax to execute npx shadcn@latest info --json. This command retrieves necessary project metadata (framework, package manager, components) to provide the agent with current context. This is a legitimate use of the feature with a well-known, reputable tool.\n- [SAFE]: In mcp.md, the skill demonstrates how to configure private registries using environment variable resolution (e.g., ${MY_TOKEN}). This follows recommended practices for managing sensitive credentials and avoids hardcoding secrets.\n- [SAFE]: The skill explicitly instructs the agent to avoid fetching raw files from GitHub or other external sources manually, emphasizing the use of the CLI (npx shadcn@latest) instead. This approach significantly mitigates risks associated with untrusted remote content.\n- [SAFE]: All external URLs and documentation references target trusted or well-known domains (e.g., ui.shadcn.com, github.com) that are directly relevant to the shadcn/ui ecosystem.

shadcn