carthage-annex
Use when the user wants to bring a project into the Carthage sandboxed dev-environment workflow. Trigger phrases include "annex this project into carthage", "carthage-annex", "set up carthage for this repo", "make this project carthage-compatible", "bring this repo into carthage", and "/carthage-...
Install this skill
Security score
The carthage-annex skill was audited on Jun 24, 2026 and we found 5 security issues across 2 threat categories, including 3 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 165 | - `build.args: { HOST_UID: ${HOST_UID}, HOST_GID: ${HOST_GID} }` |
Template literal with variable interpolation in command context
| 169 | - `mem_limit: ${CARTHAGE_MEM_LIMIT:-0}`, `cpus: ${CARTHAGE_CPUS:-0}` — both resolved by the CLI at `up` time; 0 means unlimited. |
Template literal with variable interpolation in command context
| 171 | - Mounts: `..:/workspace`, `${HOME}/.gitconfig:/home/carthage/.gitconfig:ro`, `${HOME}/.carthage/state/<slug>:/commandhistory:rw` (per-project shell-history dir; CLI creates the host side on `up`). Ag |
Access to hidden dotfiles in home directory
| 190 | carthage fortify # one-time host setup; installs this skill under ~/.carthage/skills/ and links configured agents to it |
Access to .env file
| 70 | - **Sidecar services** (Postgres, MySQL, Redis, RabbitMQ, Elasticsearch, MinIO, …): look at `docker-compose.yml` if one exists, ORM config (`alembic.ini`, `prisma/schema.prisma`, `config/database.yml` |