Web Artifacts Builder
v0.1.0Suite of tools for creating elaborate, multi-component claude.ai HTML artifacts using modern frontend web technologies (React, Tailwind CSS, shadcn/ui). Use...
⭐ 0· 332·47 current·47 all-time
by@tlreal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description align with the instructions: initializing a React+TypeScript+Vite project, adding Tailwind/shadcn/ui, and bundling to a single HTML file is consistent with building multi-component web artifacts.
Instruction Scope
The SKILL.md tells the agent to run bash scripts (scripts/init-artifact.sh, scripts/bundle-artifact.sh) that are not included in the package. Following the instructions will require creating or running scripts that install npm packages, write .parcelrc, and inline assets. The instructions do not ask for secrets or to read system credentials, but they implicitly require running network downloads and file writes; optional testing guidance suggests using Playwright/Puppeteer (headless browsers) which can access the network and system resources.
Install Mechanism
There is no install spec (instruction-only), which is low-risk from the skill bundle perspective. However, the runtime steps require installing many npm packages (parcel, html-inline, radixes, etc.) which will cause network fetches and execution of package code if the agent follows the instructions—this is expected for a build workflow but represents normal supply-chain risk.
Credentials
The skill declares no environment variables, credentials, or config paths. That matches the stated purpose. Note: building and bundling require a Node/npm environment and network access to fetch packages but no secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges. It does not attempt to modify other skills or global agent config in the provided instructions.
Assessment
This skill is internally coherent for building bundled frontend artifacts, but it is instruction-only and provides no scripts or source to inspect. Before running any generated or suggested scripts: (1) review the exact scripts/commands you or the agent will run; they will install many npm packages from the public registry—consider running in a sandbox or container to limit risk; (2) verify the Node/npm versions and dependency list; (3) do not supply any credentials or secret files to the build; (4) treat optional use of Playwright/Puppeteer as able to access the network and local files and run it only in controlled environments; (5) if you want higher assurance, ask for the actual scripts (init-artifact.sh and bundle-artifact.sh) or a source repo so you can inspect them before execution.Like a lobster shell, security has layers — review code before you run it.
latestvk9719xss1haa0masy8d5ffkjd9834nbe
License
MIT-0
Free to use, modify, and redistribute. No attribution required.