shadcn
Pass
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses dynamic context injection in
SKILL.mdto runnpx shadcn@latest info --json. This is used to automatically populate the agent's context with project metadata (e.g., framework, tailwind version), which is a legitimate and safe use of the feature for this developer tool. - [EXTERNAL_DOWNLOADS]: The skill instructs the agent to fetch UI components and documentation from official shadcn/ui registries using the official CLI. These operations target well-known developer services and do not involve untrusted third-party sources.
- [REMOTE_CODE_EXECUTION]: The workflow relies on executing the shadcn CLI via standard package runners like
npx,pnpm dlx, orbunx. This is the standard operational mode for this utility in the JavaScript ecosystem.
Audit Metadata