shadcn-ui
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it retrieves and processes code from external sources.
- Ingestion points: External data enters the agent context through
web_fetch,mcp_shadcn*tools, and custom registries configured incomponents.json. - Boundary markers: No explicit boundaries or instructions are provided to the agent to treat external component source code or metadata as untrusted data.
- Capability inventory: The agent has
BashandWritepermissions, which allow for persistent system modification and arbitrary command execution. - Sanitization: No sanitization or validation of the fetched content is performed before the agent acts upon it.
- [REMOTE_CODE_EXECUTION] (HIGH): The instructions explicitly recommend using
npx shadcn@latest, which downloads and executes remote code from the npm registry. This is a form of runtime remote code execution that bypasses static package verification. - [COMMAND_EXECUTION] (MEDIUM): The skill requests broad permissions including
BashandWrite. While necessary for a CLI-based developer tool, these capabilities serve as critical exploit primitives if the agent is compromised via indirect prompt injection. - [EXTERNAL_DOWNLOADS] (MEDIUM): The tool is designed to facilitate the downloading of third-party components and their dependencies (Radix UI, Base UI, etc.) from external repositories and registries.
Recommendations
- AI detected serious security threats
Audit Metadata