brew package intelligence

netlify-cli

Automic Vault tracks netlify-cli because plain text netlify cli credentials matters when AI agents run command-line tools on macOS.

Read docs Run scanner

overview

What Automic Vault knows about netlify-cli

Netlify command-line tool

Homepage

Not present in the local metadata.

Commands and aliases

No executable aliases were found in the local package database.

radioisotope

Plain Text Netlify CLI Credentials

Netlify CLI stores user API and GitHub tokens in plaintext JSON under its global config, currently at ~/Library/Preferences/netlify/config.json with legacy support for ~/.netlify/config.json. Our isotope stores that config in the macOS keychain and restores it into a temporary HOME only while `netlify` runs.

Local README excerpt

Netlify CLI radioisotope

This radioisotope protects Netlify CLI credentials that are normally stored in plaintext JSON under the user's Netlify global config.

What it migrates

It stores the full config JSON in the macOS keychain when either of these package-owned secrets is present:

users.<id>.auth.token
users.<id>.auth.github.token

The migration rewrites the local config to valid JSON with those token fields blanked. At runtime the wrapper restores the original config under a temporary HOME.

Caveats

Only the default current config path and legacy ~/.netlify/config.json

location are migrated.

Runtime config changes are not persisted back to keychain.
Direct execution of the original binary will not receive credentials.

Source: data/radioisotopes/netlify-cli/README.md

Coverage source

https://formulae.brew.sh/formula/netlify-cli

Caveats

Only the default current config path and legacy ~/.netlify/config.json location are migrated.
Runtime config changes are not persisted back to keychain.
Direct execution of the original binary will not receive credentials.

install metadata

Resolver facts

Package key	brew:netlify-cli
Last updated	2026-05-16T18:32:00Z
Pulse	updated

source trail

Generated from repository data

This page is regenerated by scripts/generate-pkg-pages.py. Deployments refuse to publish if www/pkg/ is stale relative to local package data.

Used sources

Nucleus package database
local isotope README
radioisotope security manifest