web-artifacts-builder
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/init-artifact.shmodifies the global system environment by executingnpm install -g pnpmif the package manager is not detected. - [COMMAND_EXECUTION]: The
scripts/init-artifact.shscript usesnode -eto dynamically execute JavaScript code for manipulatingtsconfig.jsonandtsconfig.app.jsonfiles during the setup process. - [COMMAND_EXECUTION]: The
init-artifact.shscript contains a shell injection vulnerability in thesedcommand where the$PROJECT_NAMEvariable is concatenated into a command string without sufficient sanitization. - [EXTERNAL_DOWNLOADS]: The skill triggers multiple large-scale downloads from the NPM registry, including the Vite build tool, Tailwind CSS, Parcel, and over 40 Radix UI and shadcn/ui components.
- [REMOTE_CODE_EXECUTION]: The scripts use
pnpm execto run third-party binaries such asparcelandhtml-inline, which execute code locally to build and bundle the final application artifact. - [COMMAND_EXECUTION]: The
init-artifact.shscript performs an unverified extraction of a local tarballshadcn-components.tar.gzinto the project source directory.
Audit Metadata