web-artifacts-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (LOW): The
scripts/init-artifact.shscript performs string interpolation of the user-provided<project-name>directly into asedcommand:$SED_INPLACE 's/<title>.*<\/title>/<title>'$PROJECT_NAME'<\/title>/' index.html. An adversarial project name containingseddelimiters (like/) or shell metacharacters could cause the command to fail or result in unexpected file modifications.\n- [EXTERNAL_DOWNLOADS] (SAFE): The skill automatically installspnpmglobally if not found and downloads numerous packages from the npm registry (Vite, Tailwind, Radix UI, etc.). These are from trusted sources and necessary for the skill's primary purpose.\n- [REMOTE_CODE_EXECUTION] (SAFE): While the skill installs and executes build tools (Parcel, Vite), these are standard development workflows. No patterns of fetching and piping remote scripts to a shell (curl | bash) were detected.\n- [DATA_EXFILTRATION] (SAFE): No attempts to access sensitive system files (e.g., SSH keys, AWS credentials) or exfiltrate data to non-whitelisted domains were found.\n- [INDIRECT_PROMPT_INJECTION] (LOW): The skill is designed to ingest and process user code to create artifacts. This creates an inherent surface where untrusted data could be used to generate malicious HTML/JS. The mandatory evidence chain is as follows:\n - Ingestion points: Project name input in
init-artifact.sh; User-edited source files in the React project.\n - Boundary markers: Absent. The script treats user input as trusted project metadata.\n
- Capability inventory: Subprocess calls (
pnpm,npm,tar,sed), file-system writes, and artifact bundling via Parcel.\n - Sanitization: None detected for the project name interpolation.
Audit Metadata