Trust Assessment
widgets-ui received a trust score of 86/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Unpinned external dependency via direct URL.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Unpinned external dependency via direct URL The skill's quick start guide instructs users to add a component using `npx shadcn@latest add https://ui.inference.sh/r/widgets.json`. This command fetches code directly from an external URL without any version pinning or integrity verification. If `ui.inference.sh` were compromised, malicious code could be injected into the `widgets.json` file, leading to arbitrary code execution on the developer's machine when the component is added and used. Pin the version of the external component (if supported by `shadcn` for direct URLs), provide a cryptographic hash for integrity verification, or host the component in a trusted, version-controlled package registry. Instruct users to review the fetched code before integration. | LLM | SKILL.md:8 |
Scan History
Embed Code
[](https://skillshield.io/report/1fd069e49478c9aa)
Powered by SkillShield