animated-component-libraries

This skill is primarily a documentation/integration guide for front-end animated component libraries and does not itself contain code performing malicious actions. However, it promotes installation patterns that involve fetching and executing remote code (npx shadcn add with a remote URL, copying components from external websites, and running unspecified helper scripts). Those download-and-run patterns are the main supply-chain risk: if the remote domains or packages are compromised, arbitrary code could be introduced into developers' projects. There are no direct signs of credential harvesting, command-and-control, or obfuscated payloads in the provided text. Recommended mitigations: avoid blind npx runs from unverified URLs, prefer pinned git commits or published packages with checksums, review any copied component code before adding to a project, verify package names (avoid ambiguous 'motion' vs 'framer-motion'), and inspect any helper scripts before executing them.