depot-general

This document is product documentation for the Depot CLI and related developer workflows. It describes legitimate installation, authentication, and CI integration steps. The main security concern is the use of a curl|sh install pattern (download-and-execute) which is a high-risk supply-chain vector even when pointing to an official domain. Other issues are expected tradeoffs for an auth/CLI tool: passing tokens to registries and SDKs, references to remote resources (container images, raw GitHub content), and unpinned versions in CI examples. There is no evidence that the documentation itself contains malicious code, hidden exfiltration, hardcoded secrets, or obfuscated payloads. Overall risk is moderate due to the download-execute pattern and sensitive credential handling inherent to the CLI's purpose; exercise standard mitigations (verify checksums or signatures, pin versions, avoid exposing tokens in logs, prefer OIDC in CI).