genkit

The Genkit manifest is broadly aligned with its intended purpose of enabling AI workflows, flows, and deployments. The primary risk arises from the remote curl|bash installer (cli.genkit.dev) lacking integrity verification, which constitutes a significant supply-chain and execution risk. While environment-based API keys and plugin-based extensibility are expected, there is a need for safer distribution mechanisms (signed installers, pinned integrity checks, or npm-based installation with package-lock) and explicit secret-management practices (scoped secrets, vault integration, rotation). Until mitigations are in place, treat the installation pathway as Suspicious with recommended hardening steps to achieve Benign status.