Skills
skills/lv416e/dotfiles/artifacts-builder/Gen Agent Trust Hub

artifacts-builder

Warn

Audited by Gen Agent Trust Hub on Feb 12, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis

================================================================================

🟡 VERDICT: MEDIUM

This skill provides scripts to initialize and bundle a React application using various frontend technologies. The primary security concern is the extensive use of external package managers (npm, pnpm) to download and install numerous dependencies at runtime. While these are common development tools and practices, they introduce a supply chain risk as the integrity of these external packages cannot be fully verified at analysis time. Additionally, pnpm is installed globally, which involves modifying system-wide executables.

Total Findings: 3

🟡 MEDIUM Findings: • Unverifiable Dependencies

  • scripts/executable_bundle-artifact.sh:14: pnpm add -D parcel @parcel/config-default parcel-resolver-tspaths html-inline
  • Installs external packages from public registries, posing a supply chain risk. • Unverifiable Dependencies
  • scripts/executable_init-artifact.sh:29: npm install -g pnpm
  • Installs an external package globally, posing a supply chain risk and modifying system-wide executables. • Unverifiable Dependencies
  • scripts/executable_init-artifact.sh:44, 49, 60, 142: pnpm create vite, pnpm install, pnpm add -D
  • Installs numerous external packages and templates from public registries, posing a supply chain risk.

🔵 LOW Findings: • Command Execution

  • scripts/executable_bundle-artifact.sh:32, 36: pnpm exec parcel build ..., pnpm exec html-inline ...
  • Executes commands from installed dependencies. The risk is primarily tied to the unverifiable nature of the dependencies themselves, not arbitrary command execution by the skill. • Command Execution
  • scripts/executable_init-artifact.sh:14, 29, 38, 44, 49, 60, 142, 145: Executes various shell commands (node, npm, pnpm, sed, tar). These are directly related to the skill's stated purpose of setting up a development environment and bundling. The primary risk is from the unverifiable dependencies they install and execute.

ℹ️ TRUSTED SOURCE References: • Documentation Link

  • SKILL.md:66: https://ui.shadcn.com/docs/components
  • Reference to external documentation, not a code download.

================================================================================

Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 12, 2026, 04:22 PM