Trust Assessment
shadcn-ui received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 3 findings: 0 critical, 0 high, 3 medium, and 0 low severity. Key findings include Unpinned dependencies in installation instructions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Unpinned dependencies in installation instructions The skill provides installation instructions for `shadcn/ui` components and `next-themes` using `@latest` or no version specified, which defaults to the latest available version. This practice of not pinning dependencies can introduce supply chain risks, as a malicious update to a package could be automatically pulled into a project without explicit review. An AI agent generating code or instructions based on this skill might recommend these unpinned installations. Recommend specifying exact or semver-compatible versions for all dependencies (e.g., `npx shadcn@1.0.0 add button` or `npm install next-themes@^0.2.3`) to ensure predictable and secure installations. | LLM | SKILL.md:15 | |
| MEDIUM | Unpinned dependencies in installation instructions The skill provides installation instructions for `shadcn/ui` components and `next-themes` using `@latest` or no version specified, which defaults to the latest available version. This practice of not pinning dependencies can introduce supply chain risks, as a malicious update to a package could be automatically pulled into a project without explicit review. An AI agent generating code or instructions based on this skill might recommend these unpinned installations. Recommend specifying exact or semver-compatible versions for all dependencies (e.g., `npx shadcn@1.0.0 add button` or `npm install next-themes@^0.2.3`) to ensure predictable and secure installations. | LLM | SKILL.md:166 | |
| MEDIUM | Unpinned dependencies in installation instructions The skill provides installation instructions for `shadcn/ui` components and `next-themes` using `@latest` or no version specified, which defaults to the latest available version. This practice of not pinning dependencies can introduce supply chain risks, as a malicious update to a package could be automatically pulled into a project without explicit review. An AI agent generating code or instructions based on this skill might recommend these unpinned installations. Recommend specifying exact or semver-compatible versions for all dependencies (e.g., `npx shadcn@1.0.0 add button` or `npm install next-themes@^0.2.3`) to ensure predictable and secure installations. | LLM | SKILL.md:307 |
Scan History
Embed Code
[](https://skillshield.io/report/5662e51328d92533)
Powered by SkillShield