github-elements

The package appears functionally benign: a set of UI components intended to display GitHub data. There is no direct evidence in the provided text of malware, hard-coded credentials, or obfuscated code. However, the install pattern (`npx shadcn@latest add ...`) introduces a non-trivial supply-chain risk because it runs unpinned remote code at install time. Additional ambiguity about where runtime API calls are directed and how authentication is handled increases the chance of credential exposure or unintended data routing. I recommend auditing the shadcn installer and the installed @elements package sources prior to running, pinning versions, and confirming the endpoints and secrets-handling behavior of the components.