The Agent Skills Directory

External Downloads (SAFE): The skill initializes projects and installs a large number of dependencies (React, Tailwind CSS, Radix UI) from the official NPM registry. These are reputable sources and essential for the skill's function.
Privilege Escalation (LOW): The init-artifact.sh script attempts to install pnpm globally using npm install -g. This constitutes a global environment modification beyond the local project scope.
Command Execution (SAFE): Shell scripts automate the build pipeline using vite, parcel, and sed. These operations are transparently defined and restricted to the initialized project directory.
Indirect Prompt Injection (LOW): The tool produces HTML artifacts which are susceptible to indirect prompt injection or XSS if the generated code includes unvetted instructions or scripts.
Ingestion points: Source files in the project directory are ingested by scripts/bundle-artifact.sh during the bundling process.
Boundary markers: Absent; the tool bundles the project's source code without isolation or sanitization.
Capability inventory: Uses parcel and html-inline to transform source code into a single executable HTML artifact.
Sanitization: Absent; the skill does not sanitize the code it bundles, relying on the user or the generating AI to ensure safety.

web-artifacts-builder