Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shadcn UI
v1.0.0Build accessible, customizable UIs with shadcn/ui, Radix UI, and Tailwind CSS. Use when setting up shadcn/ui, installing components, building forms with React Hook Form + Zod, customizing themes, or implementing component patterns.
⭐ 1· 1.1k·3 current·5 all-time
by@wpank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match the content: guidance for shadcn/ui, Radix, Tailwind, React Hook Form, and Zod. The skill requires no credentials or special binaries, which is appropriate for a documentation/instruction-only helper.
Instruction Scope
SKILL.md is instruction-only and stays within the expected scope (installation steps, code snippets, component patterns). However it instructs running npx shadcn@latest and other npx commands (which fetch and execute remote code) and contains manual install steps that reference copying files from ~/.ai-skills or cloning GitHub — actions that touch the filesystem and fetch remote artifacts. Some example snippets in references/extended-components.md are malformed (embedded shell output in JSX, placeholder returns), indicating low-quality/auto-generated content that could be misleading.
Install Mechanism
No install spec for the skill itself (low risk), but the documentation encourages running npx commands (npx shadcn@latest, npx clawhub@latest, and an unusual `npx add https://...` line). Using npx pulls code from the network at runtime — appropriate for this helper but a potential risk if the remote package or URL is not verified. The README suggests copying from local hidden skill directories (~/.ai-skills), which is a normal local-install workflow but implies filesystem access if followed.
Credentials
The skill declares no required environment variables, credentials, or config paths. The instructions do reference user-local paths (home directories) only in manual install examples; there is no request for unrelated secrets or cloud credentials.
Persistence & Privilege
Skill flags show no elevated persistence (always: false). It is user-invocable and allows normal autonomous model invocation (platform default). The skill does not request to modify other skills or system-wide configs.
What to consider before installing
This instruction-only skill appears to be a documentation/helper for shadcn/ui and mostly coherent, but exercise caution before following its commands:
- Source unknown: The skill's Source/Homepage are not provided. Prefer official shadcn/ui docs (https://ui.shadcn.com) or the official GitHub repo over an unverified skill.
- npx risks: The guide recommends running npx shadcn@latest (and an odd `npx add https://...` line). npx fetches and runs remote code. Only run these commands if you trust the package name and verify the upstream source first.
- Inspect before executing: If you run npx shadcn@latest or similar, review the downloaded scripts (or run in an isolated environment/container) before letting them modify your project.
- Odd/corrupted snippets: Some examples in extended-components.md are malformed (embedded commands inside JSX, truncated returns). Treat code samples as illustrative and double-check them before copy-pasting into a real project.
- Safer alternatives: Use the official shadcn/ui documentation and packages, or clone the official GitHub repo directly. If you decide to install this skill, do so in a sandbox or only after verifying the upstream sources.
If you want higher confidence, ask the publisher for the skill's source URL or a verified homepage, or request that the skill maintainer point to the exact npm package or repository that the SKILL.md references.Like a lobster shell, security has layers — review code before you run it.
latestvk9779kmx7rvrfx31k25bmzzn2180xnkh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.