shadcn
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Prompt Injection (SAFE): The skill contains steering instructions that prioritize the use of MCP (Model Context Protocol) tools. These are legitimate task-specific instructions designed to guide the agent toward efficient tool usage and do not attempt to bypass safety filters or override global system prompts.
- Data Exposure & Exfiltration (SAFE): No evidence of credential exposure or sensitive file access was found. The code samples focus on UI components and do not include hardcoded secrets or network calls to untrusted domains.
- Remote Code Execution (SAFE): The skill references standard 'npx shadcn' commands for component installation. While these involve downloading and executing code from the npm registry, they represent the official and expected usage of the shadcn/ui library and are considered safe in this context.
- Dependencies (SAFE): All referenced Node.js packages (e.g., framer-motion, tailwind-merge, zod) are well-known, industry-standard libraries for modern web development.
- Dynamic Execution (SAFE): Code templates provided in the skill are static TypeScript and CSS files. There is no evidence of runtime code generation, unsafe deserialization, or malicious library injection.
Audit Metadata