The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The script scripts/init-artifact.sh attempts to install the pnpm package manager globally using the command npm install -g pnpm. Global installations typically require root/administrative privileges and modify the underlying system environment, which is considered an unsafe privilege escalation pattern.
[EXTERNAL_DOWNLOADS] (MEDIUM): Both scripts/init-artifact.sh and scripts/bundle-artifact.sh download and install numerous packages from the npm registry. While these are standard developer tools, the large volume of third-party code executed during the install and build phases presents a significant supply-chain risk surface.
[REMOTE_CODE_EXECUTION] (MEDIUM): The bundling process involves executing build tools like Vite and Parcel. These tools can run arbitrary code defined in package.json scripts, configuration files, and plugin hooks, which could be exploited if malicious configurations are introduced.
[COMMAND_EXECUTION] (LOW): The initialization script uses variable interpolation for shell commands (e.g., pnpm create vite "$PROJECT_NAME"). Although variables are quoted, this represents a potential vulnerability surface for command injection if inputs like the project name are not strictly validated.
[SAFE] (SAFE): No evidence of hardcoded credentials, sensitive data exfiltration, or prompt injection attempts was found in the provided React source code or script logic.

web-artifacts-builder