shadcn-ui
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill exposes a critical attack surface by ingesting external component code and metadata without sanitization or boundary markers. 1. Ingestion points: MCP tools list_components, get_component, and search_items_in_registries fetch content from remote registries. 2. Boundary markers: No delimiters or instructions exist to isolate untrusted content. 3. Capability inventory: The agent possesses Bash, Write, and web_fetch permissions. 4. Sanitization: Fetched code is processed and written directly to the filesystem without validation.
- [Remote Code Execution] (HIGH): The skill's core workflow relies on npx shadcn@latest and other initializers to download and execute code from the npm registry and shadcn's servers at runtime, which are outside the defined trust scope.
- [Command Execution] (MEDIUM): The scripts/verify-setup.sh script performs local environment checks using shell commands like find and grep. While its current logic is benign, the broad Bash permission combined with the intake of remote instructions creates a risk of privilege misuse.
- [External Downloads] (HIGH): The skill encourages the use of custom registries, which are unverified third-party sources that could host malicious components.
Recommendations
- AI detected serious security threats
Audit Metadata