Skills
skills/huminglong/my_claude_skills/web-artifacts-builder/Gen Agent Trust Hub

web-artifacts-builder

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The skill relies on executing local bash scripts scripts/init-artifact.sh and scripts/bundle-artifact.sh. Without the source code for these scripts, their behavior (such as file system modification or network calls) cannot be verified.
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The bundling process explicitly installs multiple Node.js packages including parcel, @parcel/config-default, parcel-resolver-tspaths, and html-inline. Installing unpinned or unverified packages at runtime introduces supply chain risks.
  • [INDIRECT_PROMPT_INJECTION] (HIGH): User-provided input (e.g., <project-name>) is passed directly as an argument to bash scripts/init-artifact.sh. This could be exploited via command injection if the script does not properly sanitize the input.
  • [DYNAMIC_EXECUTION] (MEDIUM): The skill uses Parcel to compile and bundle React/TypeScript code into a single HTML file at runtime, which is a form of dynamic code generation and execution within the agent's environment.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 01:02 PM