artifacts-builder
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to process untrusted user instructions into a complex React application. This application is then bundled and explicitly suggested for execution using tools like Playwright or Puppeteer for 'testing' (Step 5). This creates a direct path for malicious instructions to be turned into executable code within the agent's environment.
- Ingestion points: User instructions for artifact content in
SKILL.md. - Boundary markers: None present.
- Capability inventory: Shell execution (
bash), package management (pnpm), and suggested browser automation tools. - Sanitization: No sanitization or sandboxing of the generated code is performed before suggested execution.
- Unverifiable Dependencies (MEDIUM): The scripts
init-artifact.shandbundle-artifact.shinstall a large volume of packages from the npm registry. While these are common libraries, they are installed without hash verification or strict version pinning for the majority of the stack. - Privilege Escalation (MEDIUM):
scripts/init-artifact.shattempts a global installation ofpnpm(npm install -g pnpm). This often requires elevated privileges and modifies the system-wide environment. - Dynamic Execution (MEDIUM): The skill dynamically generates configuration files and source code using
catandnode -e, which is then compiled and executed. This multi-stage pipeline makes it difficult to verify the integrity of the final artifact.
Recommendations
- AI detected serious security threats
Audit Metadata