The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes npx shadcn@latest info to retrieve project configuration, framework version, and installed components. This data is essential for the agent to understand the local development environment.\n- [EXTERNAL_DOWNLOADS]: UI component source code is fetched from the official shadcn registry and community registries (e.g., @magicui, @tailark). The skill includes explicit instructions for agents to use --dry-run and --view to audit this code before installation.\n- [REMOTE_CODE_EXECUTION]: The skill uses package runners like npx, pnpm dlx, and bunx to execute the shadcn CLI package from the npm registry. This is a standard and expected behavior for this toolset.\n- [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface as it fetches content from external documentation and example URLs provided by the docs command. Ingestion points include the fetched URL content; boundary markers and sanitization are absent; capability inventory includes subprocess execution via the CLI. This surface is evaluated as a low-risk factor inherent to the skill's primary purpose of providing documentation-driven development assistance.

shadcn