react-artifacts
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill references local shell scripts (
scripts/init-artifact.shandscripts/bundle-artifact.sh) to perform setup and bundling tasks. Because these scripts are external to the analyzed file, their specific commands (which could include arbitrary execution or network requests) cannot be reviewed.\n- [External Downloads] (LOW): The project initialization process involves installing a full React development stack, including Vite, Parcel, and Radix UI components. These dependencies are not version-locked in the documentation, posing a minor supply chain risk.\n- [Dynamic Execution] (LOW): The skill automates the compilation and bundling of user-provided React/TypeScript code into self-contained HTML files, which is a form of runtime code generation.\n- [Indirect Prompt Injection] (LOW): The skill processes untrusted code provided by the user to create artifacts. Ingestion points: External React/JSX code; Boundary markers: None; Capability inventory: Local bash execution, file system writes; Sanitization: None.
Audit Metadata