quarto-netlify
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The netlify.toml configuration uses a command that downloads a .deb package and executes the extracted binary (quarto render). This download-and-execute pattern from an unverified external source is a significant security risk.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill initiates a download from quarto.org, which is not included in the predefined trusted source list.
- [COMMAND_EXECUTION] (MEDIUM): The build script performs multiple shell operations including package extraction and modification of the PATH environment variable.
- [DATA_EXFILTRATION] (LOW): The deployment instructions suggest creating a public GitHub repository using the '--public' flag, which increases the risk of sensitive local data exposure if the environment is not properly sanitized.
Recommendations
- AI detected serious security threats
Audit Metadata