shadcn
v0.1.1Manages shadcn components and projects — adding, searching, fixing, debugging, styling, and composing UI. Provides project context, component docs, and usage...
⭐ 0· 116·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (manage shadcn components/projects) matches the contents: rules, CLI guidance, examples, and workflows for using the shadcn CLI. There are no unrelated required env vars, binaries, or install actions that would be inconsistent with a CLI/documentation skill.
Instruction Scope
Runtime instructions tell the agent to run the shadcn CLI (e.g., `npx shadcn@latest info --json`) and to read project files like components.json. This is expected for a CLI helper. Be aware that those commands will fetch and run the shadcn package transiently and will read project files in the working directory; the SKILL.md also documents registry headers and `${VAR}` interpolation which could cause the CLI to read environment variables when resolving registries. The instructions do not direct the agent to collect unrelated system secrets or post data to unexpected endpoints.
Install Mechanism
No install spec and no code files that install arbitrary packages are present. The skill is documentation-only; the only runtime installation behavior it recommends is running the official shadcn CLI via the project's package runner (npx/pnpm dlx/bunx), which is appropriate given the stated purpose.
Credentials
The skill does not declare any required environment variables. However, documentation (mcp.md and registry examples) explains that registries may include header templates like `Authorization: Bearer ${MY_TOKEN}` and that `${VAR}` placeholders are resolved from environment variables. That means the shadcn CLI (not the skill itself) may read env vars when interacting with private registries. This is proportional to the task, but users should be aware that using private registries or enabling the MCP server can require tokens.
Persistence & Privilege
The skill does not request persistent presence (always is false) and does not modify other skills or agent system settings. It only supplies guidance to run the shadcn CLI and to operate on project files; no elevated agent privileges are requested by the skill itself.
Assessment
This skill is a documentation/instruction pack for using the shadcn CLI and appears coherent. Before installing or using it, consider:
- The SKILL instructs the agent to run `npx shadcn@latest` (or equivalent). That will download and execute the shadcn npm package at runtime — treat that like running any third‑party CLI. If you need defense in depth, pin a specific package version instead of using @latest.
- The CLI reads project files (components.json, globals.css, etc.) and may resolve `${VAR}` placeholders from your environment. Do not run these commands in a shell that has sensitive credentials exported if you are unsure of the registry configuration.
- If you enable the MCP server functionality, it can read editor config and registry settings and may be configured to use auth headers; only enable it in trusted environments and verify registry URLs and headers.
- When adding/updating components, prefer `--dry-run` / `--diff` / `--view` first so you can inspect exactly what files will change before writing to disk.
- Verify the provenance of the shadcn CLI / repo you use (check the npm package or the GitHub source) before allowing it to run in production repositories.Like a lobster shell, security has layers — review code before you run it.
latestvk976k25b2y9sz1g35t062kh3fd839ndc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.