godot-export-builds
Pass
Audited by Gen Agent Trust Hub on May 25, 2026
Risk Level: SAFECREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The script 'scripts/export_android_signing_env.ps1' contains a hardcoded placeholder password ('secure_password') for an Android release keystore. Additionally, 'scripts/export_macos_notarize_cmd.ps1' mentions the use of app-specific passwords for notarization. While intended as examples, hardcoding credentials in scripts is a poor security practice.
- [REMOTE_CODE_EXECUTION]: The script 'scripts/export_pck_patch_loader.gd' implements a pattern for downloading and mounting external '.pck' files using 'ProjectSettings.load_resource_pack'. Because Godot resource packs can contain executable scripts, this mechanism enables remote code execution if the file source is untrusted or the download channel is compromised.
- [EXTERNAL_DOWNLOADS]: The CI/CD workflow in 'scripts/export_ci_github_actions.yml' downloads Godot engine binaries and export templates from 'downloads.tuxfamily.org', the official Godot Engine mirror. It also uses the community GitHub Action 'firebelley/godot-export'.
- [COMMAND_EXECUTION]: Multiple scripts utilize shell commands for automation: 'scripts/export_version_sync.gd' executes 'git' to retrieve tags; 'scripts/export_headless_pipeline.ps1' and 'scripts/headless_build.sh' execute the 'godot' binary for headless builds; and 'scripts/export_macos_notarize_cmd.ps1' outlines the use of 'codesign' and 'notarytool' for app signing.
Audit Metadata