moai-artifacts-builder
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to run complex setup scripts (scripts/init-artifact.sh,scripts/bundle-artifact.sh) that create and delete directories, modify project files usingsed, and execute inline Node.js scripts (node -e) to alter configuration files liketsconfig.jsonandtsconfig.app.jsonat runtime. - [EXTERNAL_DOWNLOADS]: The initialization scripts automate the download and installation of more than 50 third-party Node.js packages. This includes a global installation command (
npm install -g pnpm) that alters the system-wide software environment. - [REMOTE_CODE_EXECUTION]: The use of
pnpm createand automated dependency installations fetches and executes package scripts from the NPM registry, effectively running remote code as part of the project setup workflow. - [CREDENTIALS_UNSAFE]: Documentation in
examples.mdincludes code patterns for handling sensitive information, such as passing API tokens in headers and referencing credential storage files like~/.pypircfor artifact distribution.
Audit Metadata