Security Audit
web-artifacts-builder
github.com/davila7/claude-code-templatesTrust Assessment
web-artifacts-builder received a trust score of 46/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 6 findings: 0 critical, 2 high, 3 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Command Injection via unescaped project name in sed command.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Command Injection via unescaped project name in sed command The `scripts/init-artifact.sh` script uses the user-provided `PROJECT_NAME` directly within a `sed` command without proper escaping. An attacker could craft a malicious `PROJECT_NAME` containing `sed` delimiters or command separators to inject arbitrary shell commands, leading to remote code execution. Sanitize or escape the `PROJECT_NAME` variable before using it within the `sed` command. A common approach is to escape special characters or use a different method for string replacement that is not vulnerable to shell injection. | Static | scripts/init-artifact.sh:50 | |
| HIGH | Opaque Binary Archive Extraction (Supply Chain Risk) The `scripts/init-artifact.sh` script extracts a pre-packaged binary archive, `shadcn-components.tar.gz`, into the project directory. The contents of this tarball are not auditable from the provided context. A malicious tarball could contain files with absolute paths, overwrite critical system files, or introduce malicious code that is later executed during the build or development process. This poses a significant supply chain risk as the source of this archive is internal to the untrusted skill. Avoid distributing pre-compiled or opaque binary archives within skills. Instead, provide clear instructions for users to download components from trusted, verifiable sources, or include source code directly. If an archive is necessary, ensure its integrity can be verified (e.g., via checksums) and that its contents are fully auditable. | Static | scripts/init-artifact.sh:40 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned Dependencies in Package Installation Multiple `pnpm add` and `pnpm install` commands in both `init-artifact.sh` and `bundle-artifact.sh` use unpinned versions for several packages (e.g., `parcel`, `create-vite`, `postcss`, `autoprefixer`, `tailwindcss-animate`, `class-variance-authority`, `clsx`, `tailwind-merge`, `lucide-react`, `next-themes`, `pnpm` global install). This means that each time the script is run, it will fetch the 'latest' available version, which could change over time. An attacker compromising a package registry or a package maintainer could introduce malicious code into a new version, which would then be automatically pulled and executed by the skill, leading to a supply chain attack. Pin all dependencies to specific, immutable versions (e.g., `package@1.2.3`) to ensure reproducible builds and prevent unexpected changes or malicious updates. Use a lockfile (`pnpm-lock.yaml`) to further guarantee dependency versions. | Static | scripts/bundle-artifact.sh:23 | |
| MEDIUM | Unpinned Dependencies in Package Installation Multiple `pnpm add` and `pnpm install` commands in both `init-artifact.sh` and `bundle-artifact.sh` use unpinned versions for several packages (e.g., `parcel`, `create-vite`, `postcss`, `autoprefixer`, `tailwindcss-animate`, `class-variance-authority`, `clsx`, `tailwind-merge`, `lucide-react`, `next-themes`, `pnpm` global install). This means that each time the script is run, it will fetch the 'latest' available version, which could change over time. An attacker compromising a package registry or a package maintainer could introduce malicious code into a new version, which would then be automatically pulled and executed by the skill, leading to a supply chain attack. Pin all dependencies to specific, immutable versions (e.g., `package@1.2.3`) to ensure reproducible builds and prevent unexpected changes or malicious updates. Use a lockfile (`pnpm-lock.yaml`) to further guarantee dependency versions. | Static | scripts/init-artifact.sh:46 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/59c5e8b672dae5d7)
Powered by SkillShield