web-artifacts-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The scripts
init-artifact.shandbundle-artifact.shperform multiplepnpm installandpnpm addoperations. While these are standard for a frontend build tool, they introduce a dependency on the npm registry and can pull in unverified third-party code at runtime. - COMMAND_EXECUTION (MEDIUM): The skill utilizes
node -eto dynamically modifytsconfig.jsonandtsconfig.app.json. It also generates several configuration files (Tailwind, PostCSS, Vite) via shell redirections. These are legitimate build-time operations but involve runtime script generation and execution. - PRIVILEGE_ESCALATION (MEDIUM): The initialization script attempts to install
pnpmglobally usingnpm install -g pnpm. This modifies the global environment of the runner, which may be undesirable or restricted in certain execution environments. - DYNAMIC_EXECUTION (LOW): The skill uses
pnpm execto run build tools likeparcelandhtml-inline. This is standard for the tool's stated purpose of bundling artifacts.
Audit Metadata