shadcn

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the npx shadcn@latest CLI tool across its instructions and bash scripts (scripts/audit-theme.sh, scripts/diff-all.sh, scripts/project-state.sh). This is the standard, well-known tool for the shadcn/ui library used to initialize projects and manage components.
  • [EXTERNAL_DOWNLOADS]: The skill documents the ability to add components from external URLs and custom registries (e.g., npx shadcn@latest add https://example.com/r/my-component.json). While this is a core feature of the shadcn distribution model, it presents a potential attack surface if an agent is directed to fetch components from untrusted or malicious sources.
  • [INDIRECT_PROMPT_INJECTION]: The skill includes an attack surface for indirect injection as it reads and processes project configuration files (components.json, package.json, and CSS files) to determine its workflow.
  • Ingestion points: Files components.json, package.json, and project CSS files are read by scripts in the scripts/ directory.
  • Boundary markers: None explicitly defined for the data read from these files.
  • Capability inventory: The skill has the capability to execute shell commands via npx and read/write files within the project directory.
  • Sanitization: Standard shell scripting practices are used (e.g., set -euo pipefail), but the content of the JSON files is not strictly sanitized against prompt injection patterns.
  • [CREDENTIALS_SAFE]: The skill demonstrates safe credential management practices in references/components-json-schema.md by using environment variable expansion (${PRIVATE_REGISTRY_TOKEN}) for registry authentication headers instead of hardcoding secrets.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 04:38 PM
Security Audit — agent-trust-hub — shadcn