App Hosting Basics

Name: agent-skills/firebase-app-hosting-basics
Author: firebase

View on GitHub↗

Share on X Share on LinkedIn Share on Bluesky

40Medium

The skill instructs the agent to use `

ThreatsCI SM CS BC S HITL

Behavior Analysis

Mismatch detected — The stated purpose implies the skill itself will deploy and manage applications. However, the skill's content is purely instructional, detailing how users can perform these actions via `firebase-tools` commands and configuration files, rather than the skill programmatically executing these actions.

Claims to do

App Hosting Basics: This skill enables the agent to deploy and manage modern, full-stack web applications (Next.js, Angular, etc.) using Firebase App Hosting.

Actually does

The skill provides instructions for configuring `firebase.json` and `apphosting.yaml` for Firebase App Hosting. It details how to use `npx firebase-tools@latest` commands like `apphosting:secrets` and `deploy` for managing secrets and deploying applications. It also directs users to a Firebase console URL for billing plan upgrades.

Threat Analysis

AI Agent Traps ↗Scanned 4/13/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoning1 finding

Cognitive StateMemory & Learningclean

Behavioural ControlAction1 finding

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseer1 finding

Skill Info

Namefirebase/agent-skills/firebase-app-hosting-basics

Registrygithub

Versionbfd90c4c5ec5

PURLpkg:github/firebase/agent-skills@bfd90c4c5ec5#firebase-app-hosting-basics

Stars224

Installs455,628

Source

Repository ↗SKILL.md ↗

SHA-256290812d34b60...

SHA-14d177d9f8e5d...

MD550f1149b5472...

TLSH4d415087aabf...

Size2,357 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

https://github.com/firebase/agent-skills/tree/main/skills/firebase-app-hosting-basics

455,628 installs

Claude CodeDocs

/plugin marketplace add firebase/agent-skills

/plugin install firebase-app-hosting-basics@firebase/agent-skills

Gemini CLIDocs

gemini extensions install https://github.com/firebase/agent-skills.git --consent

CursorDocs

Skills.shDocs

npx skills add https://github.com/firebase/agent-skills --skill firebase-app-hosting-basics

Assessments (3)

AI Agent Traps ↗

Command execution via npx for sensitive operationsmediumcommand execution

The skill instructs the agent to execute `npx` commands, specifically `npx -y firebase-tools@latest apphosting:secrets` for handling sensitive keys. While `firebase-tools` is legitimate, `npx` allows arbitrary package execution, and handling sensitive keys introduces a risk of credential exposure or manipulation if not properly secured or if user input is unsanitized.

90% confidenceline 47

npx -y firebase-tools@latest apphosting:secrets

Agent instructed to guide user to billing upgradeinfohuman social engineering

The skill explicitly instructs the agent to direct the user to a Firebase billing upgrade page. This is a benign instruction for a prerequisite, but demonstrates the agent being directed to influence human action.

90% confidenceline 11

Direct the user to https://console.firebase.google.com/project/_/overview?purchaseBillingPlan=metered to upgrade their plan.

Description Mismatchinfodescription mismatch

The stated purpose implies the skill itself will deploy and manage applications. However, the skill's content is purely instructional, detailing how users can perform these actions via `firebase-tools` commands and configuration files, rather than the skill programmatically executing these actions.

85% confidence

The skill content consists of descriptions, configuration examples (`firebase.json`, `apphosting.yaml`), and commands to run (`npx -y firebase-tools@latest apphosting:secrets`, `npx -y firebase-tools@latest deploy`), but no executable code within the skill itself to perform these actions.

Version History (2)

4679fc8dd31f40Medium4/15/2026 bfd90c4c5ec5current40Medium4/13/2026

Dependencies (1)

firebase.claude-plugin/marketplace.jsonnot scanned

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/firebase/agent-skills/firebase-app-hosting-basics.svg)](https://mondoo.com/ai-agent-security/skills/github/firebase/agent-skills/firebase-app-hosting-basics)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/firebase/agent-skills/firebase-app-hosting-basics"><img src="https://mondoo.com/ai-agent-security/api/badge/github/firebase/agent-skills/firebase-app-hosting-basics.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/firebase/agent-skills/firebase-app-hosting-basics.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow