cargo-hosting

Pass

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill's metadata specifies the installation of @cargo-ai/cli from the npm registry. This is the official command-line interface provided by the vendor for interacting with their services.
  • [COMMAND_EXECUTION]: The skill utilizes the cargo-ai utility to perform various project management tasks, such as hosting app init, hosting worker create, and hosting deployment promote. These are standard operational commands for the hosting service.
  • [DATA_EXFILTRATION]: The hosting deployment create --source <dir> command facilitates the transfer of local source code to the vendor's build servers. While this involves outbound data transfer, it is the primary intended function of the skill for hosting applications.
  • [CREDENTIALS_UNSAFE]: The hosting app env command is designed to fetch workspace and application-specific environment variables. The instructions correctly guide the user to redirect this sensitive output into a local .env.local file, adhering to industry-standard secret management practices for local development.
Audit Metadata
Risk Level
SAFE
Analyzed
Jul 10, 2026, 07:00 PM