react-shadcn
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of component source code using the command
bunx shadcn@latest add. This process fetches code from the official shadcn/ui registry, which is a trusted and established service in the React development community. - [EXTERNAL_DOWNLOADS]: Component examples and references include media assets and configuration schemas hosted on well-known, trusted domains such as
images.unsplash.com,github.com, andui.shadcn.com. - [PROMPT_INJECTION]: The components defined in the skill (such as Data Tables, Forms, and Breadcrumbs) act as ingestion points for external data, creating a surface for potential indirect prompt injection.
- Ingestion points: Identified in
references/table.md(table rows),references/form-examples.md(form fields), andreferences/breadcrumb.md(URL path segments). - Boundary markers: Absent; components render data directly as strings or numbers within the UI structure.
- Capability inventory: The skill includes scripts that perform network requests via
fetchand system-level operations via thebunxcommand for component generation. - Sanitization: The components rely on React's built-in string escaping for protection against XSS, but they do not implement specific logic to sanitize or ignore instructions embedded in the data being rendered.
Audit Metadata