artifacts-builder
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (LOW): The setup and bundling processes download and install numerous packages from the NPM registry. While standard for web development, these represent external code being integrated into the environment.
- [Privilege Escalation] (LOW): scripts/init-artifact.sh installs pnpm globally (npm install -g pnpm), which may require or attempt to use elevated privileges.
- [Dynamic Execution] (LOW): The skill uses node -e to programmatically update configuration files (tsconfig.json) during the setup phase.
- [Indirect Prompt Injection] (LOW): The skill's primary function is to generate HTML artifacts. There is a potential risk that untrusted data handled by the agent could be interpolated into these artifacts, leading to client-side injection (XSS).
Audit Metadata