shadcn

Security checks across malware telemetry and agentic risk

Overview

This is a coherent shadcn/ui helper skill, with expected project-file and registry access for installing and managing UI components.

Install this if you want AI assistance for shadcn/ui projects. Review diffs before adding or updating components, be careful with overwrite/force options, use trusted registries, and only configure registry tokens for trusted HTTPS endpoints.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly supports injecting Authorization headers from environment variables into registry requests, which enables the MCP/CLI to transmit secrets to arbitrary registry endpoints. In this skill context, the server can browse and install from custom registries, so encouraging bearer-token use without strong warnings or trust restrictions increases the risk of credential disclosure to malicious or misconfigured third-party registries.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal