Skills
skills/jh941213/my-claude-code-asset/shadcn-ui/Gen Agent Trust Hub

shadcn-ui

Warn

Audited by Gen Agent Trust Hub on Mar 10, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: Detected obfuscated URLs in reference.md using URL-encoding and malformed protocols (e.g., http://https:%2F%2Fcontext7.com...) to hide external tracking or research domains. Additionally, official-ui-reference.md references the NPM package tw-animate-css as a dependency for animation effects; this package is not part of the standard shadcn/ui stack (which uses tailwindcss-animate) and may represent a typosquatting or malicious dependency risk.
  • [REMOTE_CODE_EXECUTION]: The skill documents and provides examples for installing components directly from remote registries using the shadcn CLI (e.g., npx shadcn add https://...). This functionality allows for the execution of remote code and installation of unverified files into the local project structure.
  • [COMMAND_EXECUTION]: Includes numerous bash commands for initializing Next.js and Remix projects, installing dependencies, and configuring environment variables via the CLI, requiring users to run scripts with broad permissions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 10, 2026, 07:23 AM