shadcn-ui
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill includes a utility script,
scripts/verify-setup.sh, which is used to validate the project environment. This script performs diagnostic, read-only operations such as checking for the existence of configuration files (components.json,tailwind.config.js) and verifying dependencies inpackage.json. - [REMOTE_CODE_EXECUTION]: The core functionality of the skill involves directing the agent to use the
npx shadcncommand for project initialization and component installation. These commands interact with the well-known shadcn CLI tool via the npm registry. - [EXTERNAL_DOWNLOADS]: The skill facilitates the installation of standard React components and primitives from trusted sources, including Radix UI and the official npm registry, which are essential for the shadcn/ui ecosystem.
- [PROMPT_INJECTION]: The skill reads local project configuration files (
package.json,components.json) to adapt its behavior to the project's setup. This represents a minor indirect prompt injection surface. - Ingestion points: Local project configuration files (
package.json,components.json,tsconfig.json). - Boundary markers: Not present.
- Capability inventory: The skill has access to
Bash,Write, andReadtools to manage components and verify configuration. - Sanitization: Not explicitly implemented for configuration file ingestion.
Audit Metadata