shadcn
Pass
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes dynamic context injection in the SKILL.md file to execute the 'info' command of the shadcn CLI automatically when the skill is loaded, ensuring project-specific configuration is available to the agent.
- [REMOTE_CODE_EXECUTION]: The instructions direct the agent to install and update UI components using the shadcn CLI via standard package managers (npx, pnpm, bun), which involves executing code from the official NPM registry.
- [PROMPT_INJECTION]: The skill establishes a workflow for fetching external documentation and code examples from URLs generated by the CLI's 'docs' command. Mandatory Evidence Chain: Ingestion points: Documentation and example URLs provided by CLI output. Boundary markers: Absent. Capability inventory: Bash tool access for command execution and file system updates. Sanitization: Relies on the resolution mechanism of the official shadcn registry.
Audit Metadata