infra-deploy
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: Sensitive environment variables such as DATABASE_URL, NEXTAUTH_SECRET, and ENCRYPTION_KEY are passed to the
gcloud run deploycommand via the--set-env-varsflag. This practice can expose sensitive data to other users on the system via process monitoring tools likeps. - [CREDENTIALS_UNSAFE]: The skill executes a
curlcommand that includes theCALCOM_API_KEYdirectly in the URL query string. Secrets in URLs are often captured in server logs, proxy logs, or browser history. - [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to perform sensitive system operations, including building Docker containers, managing cloud infrastructure, and executing database migrations. - [EXTERNAL_DOWNLOADS]: The skill pulls official Docker images for Cal.com and PostgreSQL and uses
npxto run Prisma, which involves downloading packages from the npm registry.
Audit Metadata