Skills
skills/sovranbitcoin/sovran/expo-deployment/Gen Agent Trust Hub

expo-deployment

Warn

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (MEDIUM): The skill recommends using npx testflight for iOS builds in SKILL.md and references/testflight.md.
  • Evidence: 'npx testflight ... One command builds and submits to TestFlight.'
  • Risk: There is no official 'testflight' package from Expo or Apple. Running npx on an unverified, potentially obsolete or malicious package name allows for remote code execution of untrusted content from the npm registry.
  • [COMMAND_EXECUTION] (LOW): Extensive use of shell commands for deployment and CI/CD automation.
  • Evidence: SKILL.md and references/workflows.md contain multiple CLI commands (eas build, eas submit) and bash scripts for checking git changes.
  • Risk: While standard for the skill's purpose, these commands represent a significant capability surface for an AI agent.
  • [DATA_EXFILTRATION] (LOW): Guidance on storing and managing sensitive credential files within the local project directory.
  • Evidence: references/play-store.md suggests storing ./google-service-account.json and references/ios-app-store.md suggests ./AuthKey_XXXXX.p8 locally.
  • Risk: Encouraging the placement of high-value secrets (service accounts and API keys) in the working directory increases the likelihood of accidental exposure to the AI context or exfiltration via other scripts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 17, 2026, 06:43 PM