Skills
skills/ycs77/skills/shadcn-vue/Snyk

shadcn-vue

Warn

Audited by Snyk on Feb 16, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.90). The documentation (core-setup.md and references/advanced-registry.md) explicitly shows the CLI can "add" registry JSON from arbitrary public URLs (e.g., "npx shadcn-vue@latest add https://acme.com/registry/navbar.json" and "npx shadcn-vue@latest add https://acme.com/r/hello-world.json"), meaning the agent/CLI fetches and ingests untrusted third‑party JSON and component files as part of its workflow.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 16, 2026, 03:55 AM