insforge-cli
Manages backend infrastructure for InsForge projects, including database operations, serverless functions, and project management.
Install this skill
Security score
The insforge-cli skill was audited on May 12, 2026 and we found 22 security issues across 4 threat categories, including 4 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 293 | **Schedules accept two cron formats**: 5-field cron (`minute hour day month day-of-week`, e.g. `*/5 * * * *`) **or** pg_cron interval syntax for sub-minute cadence (e.g. `30 seconds`). 6-field cron wi |
Template literal with variable interpolation in command context
| 485 | ```bash |
Template literal with variable interpolation in command context
| 539 | Headers can reference secrets stored in InsForge using the syntax `${{secrets.KEY_NAME}}`. |
Template literal with variable interpolation in command context
| 541 | ```json |
Template literal with variable interpolation in command context
| 560 | - Use `${{secrets.KEY_NAME}}` in headers for API keys and tokens |
Piping content to sh shell
| 433 | # Install flyctl once: curl -L https://fly.io/install.sh | sh |
Curl to non-GitHub URL
| 433 | # Install flyctl once: curl -L https://fly.io/install.sh | sh |
Webhook reference - potential data exfiltration
| 4 | Use this skill when managing InsForge infrastructure with the CLI: projects, SQL, migrations, RLS policies, functions, storage buckets, frontend deployments, compute services, secrets/env vars, Stripe |
Webhook reference - potential data exfiltration
| 110 | - `npx @insforge/cli payments status` — show Stripe key, account, sync, and webhook status |
Webhook reference - potential data exfiltration
| 113 | - `npx @insforge/cli payments webhooks configure <environment>` — create or recreate the managed Stripe webhook endpoint |
Access to .env file
| 219 | # context now points at the branch — re-source .env if your dev server caches it |
Access to .env file
| 424 | - [ ] Never include `node_modules`, `.git`, `.env`, or `.insforge` in the upload |
External URL reference
| 291 | **Compute endpoints use .fly.dev**: Services get a public URL at `https://{name}-{projectId}.fly.dev`. Custom domains require DNS configuration. |
External URL reference
| 380 | npx @insforge/cli deployments env set VITE_INSFORGE_URL https://my-app.us-east.insforge.app |
External URL reference
| 390 | npx @insforge/cli deployments deploy . --env '{"VITE_INSFORGE_URL": "https://my-app.us-east.insforge.app", "VITE_INSFORGE_ANON_KEY": "ik_xxx"}' |
External URL reference
| 401 | npx @insforge/cli deployments env set VITE_INSFORGE_URL https://my-app.us-east.insforge.app |
External URL reference
| 433 | # Install flyctl once: curl -L https://fly.io/install.sh | sh |
External URL reference
| 452 | # Service is running with a public https://{name}-{project}.fly.dev endpoint |
External URL reference
| 490 | --url "https://my-app.us-east.insforge.app/functions/cleanup" \ |
External URL reference
| 498 | --url "https://my-app.us-east.insforge.app/functions/probe" \ |
External URL reference
| 564 | - Use the function URL format: `https://your-project.region.insforge.app/functions/{slug}` |
External URL reference
| 658 | "oss_host": "https://{appkey}.{region}.insforge.app" |