makepad-deployment
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The workflow utilizes
Project-Robius-China/makepad-packaging-action@main. This organization is not listed as a trusted source. Use of the@mainbranch instead of a specific commit SHA allows the action's behavior to change without review, creating a significant supply chain vulnerability. - [COMMAND_EXECUTION] (LOW): The workflow accepts a user-provided
argsinput that is passed directly to the packaging action. This is an indirect injection surface. - Ingestion points:
community/dora-studio-package-workflow.mdviainputs.args. - Boundary markers: Absent; inputs are interpolated directly into the action configuration.
- Capability inventory: The workflow executes build commands and interacts with the GitHub Releases API.
- Sanitization: No sanitization or validation is performed on the
argsstring before execution. - [DATA_EXFILTRATION] (LOW): Multiple sensitive secrets (Apple certificates, provisioning profiles, and keychain passwords) are exposed as environment variables to the
makepad-packaging-action. The use of an untrusted action for processing these secrets increases the risk of credential exposure.
Audit Metadata