web-artifacts-builder

Warn

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSNO_CODE
Full Analysis
  • [COMMAND_EXECUTION]: The skill relies on shell scripts (scripts/init-artifact.sh, scripts/bundle-artifact.sh) that perform file system manipulation and execute arbitrary commands via pnpm exec and node -e. This level of access is necessary for building code but carries inherent risks if malicious code is introduced.
  • [EXTERNAL_DOWNLOADS]: The initialization script downloads and installs a large number of packages from the npm registry and creates a project using a remote Vite template. This introduces a significant third-party dependency surface.
  • [NO_CODE]: The scripts/init-artifact.sh script (line 197) extracts a file named shadcn-components.tar.gz into the source directory. This file is missing from the provided skill folder, meaning the actual component code that will be part of the final artifact is opaque and unverifiable.
  • [COMMAND_EXECUTION]: The initialization script attempts to globally install software (npm install -g pnpm) if it is not present, which modifies the execution environment beyond the scope of the project.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 26, 2026, 11:49 AM
Security Audit — agent-trust-hub — web-artifacts-builder