shadcn-theming
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [Unverifiable Dependencies] (LOW): The skill recommends installing
next-themes. This is a standard and well-known community package in the Shadcn ecosystem. - [Indirect Prompt Injection] (LOW): 1. Ingestion points: User-provided color strings and design requests (e.g., 'Make it softer'). 2. Boundary markers: Absent. 3. Capability inventory: Modification of local project CSS files and execution of the local color conversion script. 4. Sanitization: The
convert_colors.jsscript uses regex to validate inputs, though the prompt instructions do not enforce specific boundaries for the resulting CSS interpolation. The risk is limited to local UI style modifications. - [Command Execution] (SAFE): The skill executes a local script
scripts/convert_colors.js. Analysis of the source code confirms it is a pure mathematical utility for color space conversion with no network, file system, or environment variable access.
Audit Metadata