The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The init-artifact.sh and bundle-artifact.sh scripts download numerous packages from the public NPM registry, including pnpm, vite@5.4.11, parcel, and tailwindcss@3.4.1. These are well-known development tools but constitute external code dependencies.
[EXTERNAL_DOWNLOADS]: The skill references and extracts a local archive shadcn-components.tar.gz during the project initialization phase to populate the source directory.
[COMMAND_EXECUTION]: The skill automates project setup by executing shell commands for global package management (npm install -g pnpm), file system modification (sed), and archive extraction (tar).
[COMMAND_EXECUTION]: Runtime execution of JavaScript via node -e is used to programmatically parse and update configuration files such as tsconfig.json and tsconfig.app.json.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) as it is designed to process untrusted data into a final executable output.
Ingestion points: The project name argument passed to init-artifact.sh and user-modified source code within the project directory.
Boundary markers: No specific boundary markers or 'ignore' instructions are implemented in the resulting bundle.html to separate user-contributed content from system behavior.
Capability inventory: Full access to shell command execution, network access via package managers, and the ability to write to the file system.
Sanitization: No robust validation or sanitization is performed on user inputs (e.g., project names) before they are interpolated into configuration files or the HTML entry point.

artifacts-builder