shadcn
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves documentation and code examples from external URLs, such as those provided by the
npx shadcn@latest docscommand. These remote sources could contain malicious instructions that the agent might inadvertently follow. * Ingestion points: External documentation and example URLs fetched during the workflow. * Boundary markers: None identified. * Capability inventory: Shell command execution via project runners, file system writes, and network access. * Sanitization: External content is not sanitized or validated before processing. - [COMMAND_EXECUTION]: The skill uses dynamic context injection in
SKILL.mdwith the!command pattern. Specifically, it executesnpx shadcn@latest info --jsonto populate the agent's context when the skill is loaded. While utilized here for gathering project metadata from a well-known tool, this mechanism allows for shell execution at load time. - [EXTERNAL_DOWNLOADS]: The skill relies on package runners (npx, pnpm dlx, bunx) to fetch and execute the shadcn CLI dynamically. It also supports the installation of UI components from external registries and arbitrary user-provided URLs.
Audit Metadata