artifacts-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Unverifiable Dependencies (LOW): The skill installs numerous packages from the NPM registry (e.g., React, Tailwind, Parcel). While NPM is a trusted source, the large number of dependencies increases the external attack surface.
- Dynamic Execution (LOW): Build configurations for Vite, Tailwind, and Parcel are dynamically generated and modified at runtime. This behavior is standard for the skill's function as a build tool, justifying a severity reduction from MEDIUM.
- Command Execution (LOW): The project initialization and bundling scripts execute multiple shell commands to set up development environments and process build assets.
- Indirect Prompt Injection (LOW): (1) Ingestion points: Project source directory files modified during development. (2) Boundary markers: None. (3) Capability inventory: Build pipeline execution via Parcel and Vite, and package installation via pnpm. (4) Sanitization: No sanitization of source code is performed prior to bundling.
Audit Metadata