artifacts-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill defines a workflow where the agent 'develops' code by editing files that are subsequently processed by build tools. This creates a vulnerability where malicious instructions embedded in external data (e.g., a website the agent is analyzing to build an artifact) could be injected into the React source or
package.json. - Ingestion points: Source files in the
src/directory and project configuration files likepackage.jsonandindex.html. - Boundary markers: None identified; instructions do not advise the agent to sanitize or ignore instructions within the generated code.
- Capability inventory: The skill uses the
Bashtool to runnpm installandnpx parcel build, which can trigger lifecycle scripts or execute malicious code within the build pipeline. - Sanitization: None provided for the generated code before it is passed to the build tools.
- [Unverifiable Dependencies] (MEDIUM): The
bundle-artifact.shscript automatically installs several npm packages (parcel,html-inline, etc.) if they are missing. These dependencies are fetched from a public registry without version pinning, posing a supply-chain risk. - [Remote Code Execution] (MEDIUM): The skill uses
npxto execute downloaded packages (parcelandhtml-inline). Executing unverified code from a remote registry at runtime is a dangerous pattern in an agentic context. - [Command Execution] (LOW): The skill relies on the
Bashtool to execute internal scripts (init-artifact.sh,bundle-artifact.sh). While the scripts themselves appear functional, the reliance on shell execution for the build process increases the impact of any injection vulnerabilities.
Recommendations
- AI detected serious security threats
Audit Metadata