artifacts-builder
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The initialization script
scripts/init-artifact.shcontains a potential command injection vulnerability where the user-supplied project name is directly interpolated into asedcommand.\n - Evidence: The line
$SED_INPLACE 's/<title>.*<\/title>/<title>'"$PROJECT_NAME"'<\/title>/' index.htmlallows for arbitrary shell command execution or file manipulation if the project name contains shell special characters or command delimiters.\n- [COMMAND_EXECUTION]: The skill relies on complex shell scripts to manage project setup, configuration, and bundling.\n - Evidence: Usage of
init-artifact.shandbundle-artifact.shto automate file system operations, environment detection, and the execution of local binaries viapnpm exec.\n- [EXTERNAL_DOWNLOADS]: Both initialization and bundling scripts perform extensive downloads from the npm registry.\n - Evidence: The
init-artifact.shscript attempts to installpnpmglobally usingnpm install -g pnpmif it is not detected on the system, and installs a large set of React and shadcn/ui dependencies.\n- [EXTERNAL_DOWNLOADS]: Thebundle-artifact.shscript dynamically installs build tools at runtime.\n - Evidence: Dynamic installation of
parcel,@parcel/config-default,parcel-resolver-tspaths, andhtml-inlineduring the bundling process.
Audit Metadata