cicd-workflows
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The automated scanner identified a piped remote execution pattern (
curl | sh) used to install the Databricks CLI fromraw.githubusercontent.com. This is a high-risk practice as it executes unverified remote code with shell privileges. Although this action is central to the skill's primary purpose of setting up a Databricks environment, the source organization is not on the pre-approved trusted list, keeping the severity high. - [EXTERNAL_DOWNLOADS] (LOW): The skill depends on external setup scripts hosted on GitHub. While the repository appears to be official, the lack of explicit trust for the 'databricks' organization in the provided security policy requires this finding, which is downgraded to LOW due to its functional necessity.
- [CREDENTIALS_UNSAFE] (LOW): The
deployment_script.pytemplate relies onDATABRICKS_TOKENandDATABRICKS_HOSTenvironment variables. While using environment variables is a common practice for CI/CD automation, handling such secrets requires strict environment-level security to prevent unauthorized access to the Databricks workspace.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/databricks/setup-cli/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata