The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (HIGH): Multiple files (e.g., workflows/add-component.md, references/cli-registry.md, references/data-components.md) instruct the agent to execute commands that download components directly from external URLs.
Evidence: npx shadcn@latest add https://www.shadcn.io/registry/gantt.json and bunx shadcn@latest add https://shadcn.io/r/kanban.json.
The domain shadcn.io is not on the trusted external sources whitelist, and downloading/executing configuration or code from arbitrary URLs is a significant attack vector.
This finding is downgraded to MEDIUM as the behavior is central to the documented technology's primary purpose.
Command Execution (MEDIUM): The skill frequently suggests executing powerful CLI commands like npx shadcn, bun add, and bunx tsc to manage the project environment.
While expected for a development tool, these capabilities grant the agent significant control over the local filesystem and build process.
Indirect Prompt Injection (LOW): The skill has a defined ingestion surface where user requests are mapped to workflows that execute commands.
Ingestion points: User intent selection in SKILL.md.
Boundary markers: Absent.
Capability inventory: npx, bunx, bun add, navigator.clipboard.writeText across multiple workflow and reference files.
Sanitization: Absent. This creates a surface where a malicious user could potentially influence the agent to execute modified or unintended CLI commands.

shadcn-ui