The Agent Skills Directory

[Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The scripts/init-artifact.sh script relies on a local binary tarball shadcn-components.tar.gz that is extracted into the project source. As a binary blob, its contents cannot be verified during static analysis, posing a supply-chain risk for any generated artifacts.
[External Downloads & Unverifiable Dependencies] (LOW): The skill installs a very large number of external Node.js packages (over 50) from the public NPM registry. While these are common libraries, the extensive dependency tree increases the attack surface.
[Privilege Escalation] (LOW): The initialization script attempts to install pnpm globally (npm install -g pnpm) if it is not found. This modifies the global system state beyond the scope of the individual project.
[Dynamic Execution] (LOW): The script utilizes node -e to programmatically parse and modify tsconfig.json files. While used for configuration purposes here, inline script execution on local files is a vector for unexpected behavior if file contents are manipulated.

web-artifacts-builder