Skills
skills/hubeiqiao/skills/web-artifacts-builder/Gen Agent Trust Hub

web-artifacts-builder

Warn

Audited by Gen Agent Trust Hub on Apr 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The init-artifact.sh script is vulnerable to command injection through the user-supplied project name parameter. The script incorporates the $PROJECT_NAME variable directly into a sed command string using shell expansion ($SED_INPLACE 's/.../.../'"$PROJECT_NAME"'...'), allowing a malicious project name to execute arbitrary sed commands or modify files outside the project scope.
  • [COMMAND_EXECUTION]: The init-artifact.sh script attempts to install the pnpm package manager globally using npm install -g pnpm. Modifying the global environment is a high-privilege operation that can affect other projects and processes on the host system.
  • [EXTERNAL_DOWNLOADS]: The skill makes extensive use of the public NPM registry to download and install development dependencies, including core build tools like Vite and Parcel, which are then executed during the artifact creation process.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 16, 2026, 08:51 AM