Skills
skills/vkboo/gsheet-crud/web-artifacts-builder/Gen Agent Trust Hub

web-artifacts-builder

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • EXTERNAL_DOWNLOADS (MEDIUM): The init-artifact.sh and bundle-artifact.sh scripts install numerous packages from the public npm registry using pnpm install and npm install -g. This introduces dependency on external, unverified third-party code.
  • COMMAND_EXECUTION (MEDIUM): The skill makes extensive use of shell commands to create directories, write configuration files via heredocs (cat > file << 'EOF'), and run build tools like parcel and html-inline.
  • REMOTE_CODE_EXECUTION (MEDIUM): The command pnpm create vite downloads and executes a remote initialization script from the npm registry, which is a form of remote code execution.
  • DYNAMIC_EXECUTION (LOW): The script init-artifact.sh uses node -e to programmatically modify tsconfig.json files. While targeted at local files created by the skill, it represents dynamic code execution within the environment.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:28 PM