shadcn-ui

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill includes commands like "pnpm dlx shadcn@latest create" / "npx shadcn@latest create" which fetch and execute the shadcn CLI from the npm registry at runtime (remote code execution during install), so this is a required runtime external dependency that executes remote code.