shadcn-guide
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides numerous instructions for using the
shadcnCLI and standard package managers (npm,npx,pnpm). These commands are used for project initialization (shadcn init), component installation (shadcn add), and system configuration (MCP server setup). - [EXTERNAL_DOWNLOADS]: The documentation describes the process of downloading component source code and metadata from official registries (
ui.shadcn.com), AI platforms (v0.dev), and community-maintained third-party registries. It includes a specific security warning advising users to review third-party code before installation. - [DATA_EXFILTRATION]: The skill uses environment variable placeholders (e.g.,
${REGISTRY_TOKEN},${API_KEY}) for registry authentication. This follows security best practices by avoiding hardcoded credentials in configuration files. - [REMOTE_CODE_EXECUTION]: The registry system described in the documentation is designed to fetch and integrate code into a local project. This is a primary function of the shadcn/ui 'open-code' philosophy, where the CLI serves as the delivery mechanism for component source files.
Audit Metadata