web-artifacts-builder
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill's initialization and bundling scripts (
init-artifact.sh,bundle-artifact.sh) download and install over 50 Node.js packages from the npm registry. This significant dependency tree increases the attack surface for supply chain vulnerabilities. - [COMMAND_EXECUTION] (MEDIUM): The script
init-artifact.shperforms high-impact operations including the global installation ofpnpm(npm install -g pnpm) if not detected. It also extracts an opaque binary tarball (shadcn-components.tar.gz) included with the skill to the filesystem. - [REMOTE_CODE_EXECUTION] (MEDIUM): The script executes
pnpm create vite, which fetches and runs code from thecreate-vitestarter template at runtime. This constitutes execution of code not locally present in the skill. - [DYNAMIC_EXECUTION] (MEDIUM): The skill utilizes
node -eto execute inline JavaScript strings for programmatically modifying configuration files (tsconfig.json). While the strings are currently static, this pattern is often a precursor to more dangerous dynamic execution. - [INDIRECT_PROMPT_INJECTION] (LOW): The project name provided by the user is interpolated into a
sedcommand ininit-artifact.shwithout sanitization. An adversarial project name could manipulate thesedstream or inject malicious HTML/JS into the resultingindex.htmltitle tag. - Ingestion points: Project name variable
$1inscripts/init-artifact.sh. - Boundary markers: None present; input is used directly in a shell command and HTML template.
- Capability inventory: Shell execution (
bash), package management (pnpm,npm), and file extraction (tar). - Sanitization: Absent. No validation is performed on the project name string before use in
sedor HTML.
Audit Metadata