instant-web-publishing-with-pigeonscale
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to use
npx -y pigeonscale, which downloads the latest version of the Pigeonscale CLI from the NPM registry at runtime. - [COMMAND_EXECUTION]: The skill executes multiple subcommands of the
pigeonscaleCLI for publishing sites, managing domains, and syncing configuration files. These commands interact with the local filesystem and the Pigeonscale API. - [DATA_EXFILTRATION]: By design, the skill uploads the contents of a local directory (e.g.,
./dist) to the Pigeonscale service. It includes security measures such as default filtering of sensitive files (e.g.,.env*,*.vars) and an automated local secret scan to mitigate the risk of data exposure. - [CREDENTIALS_UNSAFE]: The skill manages authentication state by storing session metadata in
~/.config/pigeonscale/session.json. It utilizescross-keychainto securely store access tokens in the OS keychain when available, falling back to local files with restricted (0600) permissions when a native backend is absent. - [SAFE]: The skill follows established patterns for vendor-provided tools. All external communications and package downloads are associated with the author's official infrastructure (pigeonscale.com).
Audit Metadata