web-artifacts-builder
Warn
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSNO_CODE
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on shell scripts (
scripts/init-artifact.sh,scripts/bundle-artifact.sh) that perform file system manipulation and execute arbitrary commands viapnpm execandnode -e. This level of access is necessary for building code but carries inherent risks if malicious code is introduced. - [EXTERNAL_DOWNLOADS]: The initialization script downloads and installs a large number of packages from the npm registry and creates a project using a remote Vite template. This introduces a significant third-party dependency surface.
- [NO_CODE]: The
scripts/init-artifact.shscript (line 197) extracts a file namedshadcn-components.tar.gzinto the source directory. This file is missing from the provided skill folder, meaning the actual component code that will be part of the final artifact is opaque and unverifiable. - [COMMAND_EXECUTION]: The initialization script attempts to globally install software (
npm install -g pnpm) if it is not present, which modifies the execution environment beyond the scope of the project.
Audit Metadata