shadcn-registry

This skill is a documentation/instruction skill for building and hosting shadcn component registries. Its capabilities (manifest editing, building, hosting guidance, and installing components) are consistent with the stated purpose. I found no code payloads, obfuscated code, or explicit instructions to download-and-execute arbitrary binaries. The principal security considerations are supply-chain best practices: (1) installing unpinned 'latest' CLIs and remote registry JSONs can expose consumers to trojanized packages or compromised registries; (2) the documented pattern of forwarding environment variables into Authorization/X-API-Key headers is functionally required for private registries but creates a credential-forwarding risk if configured to untrusted hosts or if production secrets are used. Recommend users pin CLI versions, verify registry hosts before providing credentials, avoid placing production secrets in envVars distributed via registries, and require manual review before the CLI writes files into a consumer repo. Overall there is no direct malicious content in this document, but there are supply-chain and credential-forwarding risks inherent to the described workflow.