shadcn
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
npx shadcn@latestCLI tool across its instructions and bash scripts (scripts/audit-theme.sh,scripts/diff-all.sh,scripts/project-state.sh). This is the standard, well-known tool for the shadcn/ui library used to initialize projects and manage components. - [EXTERNAL_DOWNLOADS]: The skill documents the ability to add components from external URLs and custom registries (e.g.,
npx shadcn@latest add https://example.com/r/my-component.json). While this is a core feature of the shadcn distribution model, it presents a potential attack surface if an agent is directed to fetch components from untrusted or malicious sources. - [INDIRECT_PROMPT_INJECTION]: The skill includes an attack surface for indirect injection as it reads and processes project configuration files (
components.json,package.json, and CSS files) to determine its workflow. - Ingestion points: Files
components.json,package.json, and project CSS files are read by scripts in thescripts/directory. - Boundary markers: None explicitly defined for the data read from these files.
- Capability inventory: The skill has the capability to execute shell commands via
npxand read/write files within the project directory. - Sanitization: Standard shell scripting practices are used (e.g.,
set -euo pipefail), but the content of the JSON files is not strictly sanitized against prompt injection patterns. - [CREDENTIALS_SAFE]: The skill demonstrates safe credential management practices in
references/components-json-schema.mdby using environment variable expansion (${PRIVATE_REGISTRY_TOKEN}) for registry authentication headers instead of hardcoding secrets.
Audit Metadata