vite-shadcn-tailwind4
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill promotes the installation of third-party packages such as
tw-animate-cssand@ai-elements/all. Unlike standard packages liketailwindcss-animate, these are from non-trusted sources and should be manually verified for safety.\n- [REMOTE_CODE_EXECUTION] (MEDIUM): The workflow relies onnpx shadcn@latestfor initialization and component addition. This involves downloading and executing code from the npm registry at runtime. Although this is the primary purpose of the skill, the source is external and not part of the developer's trusted organization list.\n- [COMMAND_EXECUTION] (LOW): Executes shell commands such asnpm installandnpm run lint. While these are standard for project setup, they allow the skill to modify the local environment.\n- [Indirect Prompt Injection] (LOW): The skill parses local configuration files likepackage.jsonandvite.config.tsto determine subsequent actions.\n - Ingestion points:
package.json,tsconfig.json,vite.config.ts(Phases 1, 2, 3).\n - Boundary markers: Absent. The skill trusts the content of these files without specific delimiters.\n
- Capability inventory: Command execution (
npx,npm), file modification (src/index.css,tsconfig.json).\n - Sanitization: No sanitization or validation of the data read from project files before using it to generate shell commands or configuration overrides.
Audit Metadata