rust-cross

[Skill Scanner] Natural language instruction to download and install from URL detected Benign documentation with standard supply-chain considerations. Best practice recommendations include: pin tool versions, verify container image digests, prefer official/maintained registries, audit Cross.toml and .cargo/config.toml for unintended linker/runner configurations, and maintain a minimal, auditable cross-toolchain footprint. Overall, a low-to-moderate security risk primarily due to dependency on external container images and third-party tooling, not due to embedded malicious content. LLM verification: The provided skill is a practical, well-aligned guide for Rust cross-compilation with expected references to cross and cargo-zigbuild workflows. I found no direct malicious code or indicators of active exfiltration/backdoor behavior in the artifact. However, multiple supply-chain risk patterns exist: unpinned cargo installs, unverified external downloads (Zig), Docker image tags pinned to mutable names (e.g., 'main'), and apt-get in pre-build steps. These increase the chance that an upstream com