artifacts-builder

The skill involves two primary scripts: scripts/init-artifact.sh and scripts/bundle-artifact.sh. Both scripts extensively utilize pnpm (and npm for pnpm itself) to install and execute a large number of external Node.js packages, including vite, tailwindcss, parcel, and various shadcn/ui and radix-ui components. While these packages are sourced from npmjs.com, a generally trusted registry, the sheer volume of external dependencies introduces a significant supply chain risk. The content of these packages and their transitive dependencies cannot be fully audited at the time of analysis, meaning a compromised dependency could lead to malicious code execution. The npm install -g pnpm command also performs a global installation, which is a minor form of privilege escalation. No direct data exfiltration or prompt injection patterns were found in the provided files. The LICENSE.txt and SKILL.md files are benign, with a minor false positive for 'VERY IMPORTANT' in SKILL.md which is used in a benign context.