artifacts-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): Both initialization and bundling scripts perform installation of packages from the npm registry. The packages are standard libraries such as Vite, Tailwind, and React.
- COMMAND_EXECUTION (LOW): The skill relies on shell scripts to manage the project lifecycle, including package management and bundling.
- DYNAMIC_EXECUTION (LOW): The setup script uses 'node -e' to dynamically update configuration files like tsconfig.json. This is a targeted use of dynamic execution for environment setup.
- INDIRECT_PROMPT_INJECTION (LOW): Untrusted data (project name) enters via script arguments in init-artifact.sh. Evidence: 1. Ingestion: $1 in init-artifact.sh. 2. Boundary markers: Absent. 3. Capabilities: bash, pnpm, node. 4. Sanitization: Absent. Severity is LOW as it is a local setup tool.
Audit Metadata