shadcn
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the official
npx shadcn@latestCLI to perform component installation and project maintenance, which is consistent with its stated purpose. - [DYNAMIC_CONTEXT_INJECTION]: The
SKILL.mdfile contains a dynamic command!npx shadcn@latest info --jsonthat runs at load time to populate project metadata. This is a benign use of project-specific tooling to inform the agent's behavior. - [EXTERNAL_DOWNLOADS]: Component source code and documentation are retrieved from remote registries. The instructions mitigate supply chain risks by requiring the agent to use CLI flags like
--dry-runand--viewto inspect code before application. - [INDIRECT_PROMPT_INJECTION]: While the skill ingests external registry data, it includes detailed verification steps to ensure all integrated code complies with local styling and accessibility standards.
Audit Metadata