ui-styling
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The script
scripts/shadcn_add.pyusessubprocess.runto invoke external binaries with dynamic arguments. - Evidence: In
scripts/shadcn_add.py, theadd_componentsmethod constructs a command list including input provided by the user/agent and executes it usingsubprocess.run. - Risk: While passing a list to
subprocess.runis safer thanshell=True, the execution of arbitrary component names provided as CLI arguments allows for the injection of unexpected CLI flags. - [EXTERNAL_DOWNLOADS] (LOW): The skill uses
npxto download and run the shadcn/ui CLI from the npm registry. - Evidence:
scripts/shadcn_add.pyinvokesnpx shadcn@latest add. - Mitigation: Per [TRUST-SCOPE-RULE], the severity of this finding is downgraded to LOW as the tool is from a reputable source associated with trusted organizations like Vercel.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The use of
npx shadcn@latestconstitutes a remote code execution vector as it downloads and executes the latest version of an external tool at runtime. - [PROMPT_INJECTION] (LOW): The skill identifies a surface for indirect prompt injection where untrusted data (component names) is used in a capability-heavy script.
- Ingestion points:
componentsargument inscripts/shadcn_add.py. - Boundary markers: Absent.
- Capability inventory:
subprocess.runinscripts/shadcn_add.py. - Sanitization: Basic list concatenation is used without formal shell escaping or validation against a strict allowlist.
Audit Metadata