Skills
skills/guangtouwangba/weaver/web-artifacts-builder/Gen Agent Trust Hub

web-artifacts-builder

Warn

Audited by Gen Agent Trust Hub on Feb 19, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • COMMAND_EXECUTION (MEDIUM): The script scripts/init-artifact.sh installs the pnpm package manager globally using npm install -g pnpm. This modifies the system-wide environment and may require elevated privileges.
  • EXTERNAL_DOWNLOADS (MEDIUM): Both init-artifact.sh and bundle-artifact.sh download and install numerous third-party packages from the public npm registry at runtime (e.g., parcel, radix-ui components, tailwindcss). This introduces a dependency on external code that is not pinned by hash or bundled with the skill, creating a supply chain risk.
  • COMMAND_EXECUTION (LOW): The scripts utilize node -e and sed to programmatically rewrite configuration files like tsconfig.json and vite.config.ts. While standard for scaffolding, dynamic modification of project configuration files is a minor concern in automated contexts.
  • COMMAND_EXECUTION (LOW): The skill executes pnpm create vite and parcel build, which involve running external generators and build pipelines on the local machine.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 19, 2026, 03:55 PM