cargo-hosting
Pass
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's metadata specifies the installation of
@cargo-ai/clifrom the npm registry. This is the official command-line interface provided by the vendor for interacting with their services. - [COMMAND_EXECUTION]: The skill utilizes the
cargo-aiutility to perform various project management tasks, such ashosting app init,hosting worker create, andhosting deployment promote. These are standard operational commands for the hosting service. - [DATA_EXFILTRATION]: The
hosting deployment create --source <dir>command facilitates the transfer of local source code to the vendor's build servers. While this involves outbound data transfer, it is the primary intended function of the skill for hosting applications. - [CREDENTIALS_UNSAFE]: The
hosting app envcommand is designed to fetch workspace and application-specific environment variables. The instructions correctly guide the user to redirect this sensitive output into a local.env.localfile, adhering to industry-standard secret management practices for local development.
Audit Metadata