The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/init-artifact.sh script accepts a project name as a command-line argument and uses it directly in shell commands and sed substitution strings. This creates a risk of command or argument injection if a maliciously crafted project name is provided.
[EXTERNAL_DOWNLOADS]: Multiple scripts (bundle-artifact.sh and init-artifact.sh) perform automated downloads and installations of numerous third-party packages from the public npm registry. This includes significant build tools like Parcel and Vite, which increases the supply chain risk profile of the skill.
[COMMAND_EXECUTION]: The initialization script extracts a local binary archive (shadcn-components.tar.gz) into the project directory. The contents of this archive are not transparent and are executed as part of the project setup.
[COMMAND_EXECUTION]: The build scripts contain destructive commands, such as rm -rf dist and rm -rf bundle.html. While these are intended for cleaning build artifacts, they are executed without directory validation, posing a risk of accidental data deletion.

moai-artifacts-builder