expo-deployment
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends executing 'npx testflight' as a shortcut for iOS submissions. This package is not an official tool and is fetched from an unverified source on the npm registry.
- [COMMAND_EXECUTION]: Provides instructions for using official CLI tools like 'eas-cli' and 'expo' to manage application builds and deployments.
- [CREDENTIALS_UNSAFE]: Discusses the management of sensitive deployment credentials and correctly recommends using environment variables or EAS Secrets instead of hardcoding values.
- [PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection through dynamic metadata fetching in 'store.config.js' (as described in 'references/app-store-metadata.md'). Ingestion points: Remote content fetched from an external API. Boundary markers: No delimiters or ignore instructions are provided. Capability inventory: Data is used by 'eas metadata:push'. Sanitization: No validation or sanitization of external content is mentioned.
Audit Metadata