The Agent Skills Directory

[COMMAND_EXECUTION]: The initialization script (scripts/init-artifact.sh) performs a global installation of pnpm via npm install -g pnpm if the tool is not already present. This action requires elevated system permissions and modifies the global environment.
[COMMAND_EXECUTION]: The skill extracts a binary tarball (shadcn-components.tar.gz) into the project's source directory during initialization. While this is used to provide UI components, the use of opaque binary archives is a factor in supply chain security.
[COMMAND_EXECUTION]: The script scripts/init-artifact.sh is vulnerable to injection in a sed command: $SED_INPLACE 's/<title>.*<\/title>/<title>'"$PROJECT_NAME"'<\/title>/' index.html. Because the $PROJECT_NAME variable is interpolated into the command string without sanitization, a project name containing single quotes or shell escape sequences could lead to file corruption or script injection in the generated HTML.
[EXTERNAL_DOWNLOADS]: The skill's scripts download and install a large number of frontend development packages from the NPM registry, including Vite, Tailwind CSS, and various Radix UI components.

anthropic-web-artifacts-builder