expo-deployment
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill recommends using 'npx testflight' as a shortcut for iOS submissions. This executes a third-party package from the npm registry that is not maintained by the core Expo team. Running unversioned community code via npx represents a minor supply-chain risk.
- CREDENTIALS_UNSAFE (LOW): The documentation and configuration examples (eas.json) reference local file paths for sensitive credentials, including Google Service Account JSON keys and Apple .p8 API keys. While the skill includes instructions for using .gitignore and EAS Secrets, the reliance on local file paths for secrets is a potential risk vector for accidental exposure.
- COMMAND_EXECUTION (SAFE): The skill correctly utilizes the official Expo Application Services (EAS) CLI for performing application builds, submissions, and web deployments.
Audit Metadata