Skills
skills/marcelleon/skills-zh/web-artifacts-builder/Gen Agent Trust Hub

web-artifacts-builder

Fail

Audited by Gen Agent Trust Hub on Feb 21, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • COMMAND_EXECUTION (HIGH): Potential shell command injection in scripts/init-artifact.sh. The project name provided as the first argument is interpolated directly into shell commands (pnpm create vite "$PROJECT_NAME") and sed expressions without sanitization, allowing arbitrary command execution.
  • EXTERNAL_DOWNLOADS (MEDIUM): The scripts perform extensive runtime package installations using npm and pnpm. It specifically attempts to install pnpm globally (npm install -g pnpm), which is a high-privilege operation and introduces supply chain risks.
  • COMMAND_EXECUTION (MEDIUM): scripts/init-artifact.sh uses node -e to execute inline JavaScript for modifying configuration files at runtime, which is a form of dynamic execution that complicates security auditing.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 21, 2026, 12:26 PM