Generated source
This hub uses the same local package data as individual package pages: Nucleus package metadata, Homebrew enrichment, Geiger classifier output, secret-handling manifests, and approval-gate seeds where available.
security
Cloud CLIs often hold access to accounts, deploys, registries, state, and production infrastructure from a local shell.
summary
Cloud CLI packages currently includes 724 package catalog entries. 0 have protected-tool coverage, 2 have approval-gate metadata, and 288 have non-low Geiger classifier findings. The grouping comes from package metadata, so it can stay current as that metadata changes.
This hub uses the same local package data as individual package pages: Nucleus package metadata, Homebrew enrichment, Geiger classifier output, secret-handling manifests, and approval-gate seeds where available.
Use the hub to find command families that need tighter secret injection, approval gates, or manual review before agents run them.
packages
| Package | Manager | Signals | Why it appears here |
|---|---|---|---|
| awscli | Homebrew | approval gate, v2.35.17 | 8 approval-gate rules are present. |
| docker | Homebrew | approval gate, orange risk, v29.6.1 | 6 approval-gate rules are present. |
| apache-spark | Homebrew | yellow risk, v4.1.2 | broad file, network, media, or database tool signal |
| aws-shell | Homebrew | yellow risk, v0.2.2 | generalized runtime or code generation signal |
| crun | Homebrew | yellow risk, v1.28 | generalized runtime or code generation signal |
| docker-agent | Homebrew | yellow risk, v1.101.0 | generalized runtime or code generation signal |
| gimme | Homebrew | yellow risk, v1.5.6 | generalized runtime or code generation signal |
| gitlab-ci-local | Homebrew | yellow risk, v4.73.0 | generalized runtime or code generation signal |
| litani | Homebrew | yellow risk, v1.29.0 | generalized runtime or code generation signal |
| shellz | Homebrew | yellow risk, v1.6.0 | generalized runtime or code generation signal |
| act | Homebrew | green risk, v0.2.89 | narrow executable package without higher-risk signals |
| actions-batch | Homebrew | green risk, v0.0.3 | narrow executable package without higher-risk signals |
| aiven-client | Homebrew | v4.15.0 | no executable entrypoint in the package index |
| akamai | Homebrew | green risk, v2.0.4 | narrow executable package without higher-risk signals |
| ansible | Homebrew | v14.1.0 | no executable entrypoint in the package index |
| ansible-cmdb | Homebrew | green risk, v1.31 | narrow executable package without higher-risk signals |
| ansible-creator | Homebrew | green risk, v26.6.1 | narrow executable package without higher-risk signals |
| ansible-lint | Homebrew | v26.6.0 | no executable entrypoint in the package index |
| apache-brooklyn-cli | Homebrew | green risk, v1.1.0 | narrow executable package without higher-risk signals |
| apko | Homebrew | v1.2.23 | no executable entrypoint in the package index |
| argocd-autopilot | Homebrew | green risk, v0.4.20 | narrow executable package without higher-risk signals |
| argocd-vault-plugin | Homebrew | green risk, v1.18.1 | narrow executable package without higher-risk signals |
| athenacli | Homebrew | v1.7.0 | no executable entrypoint in the package index |
| atlantis | Homebrew | green risk, v0.46.0 | narrow executable package without higher-risk signals |
| autorest | Homebrew | green risk, v3.8.0 | narrow executable package without higher-risk signals |
| aws-amplify | Homebrew | v14.5.1 | no executable entrypoint in the package index |
| aws-console | Homebrew | green risk, v1.24.4 | narrow executable package without higher-risk signals |
| aws-elasticbeanstalk | Homebrew | v3.27.3 | no executable entrypoint in the package index |
| aws-google-auth | Homebrew | v0.0.38 | no executable entrypoint in the package index |
| aws-keychain | Homebrew | green risk, v3.0.0 | narrow executable package without higher-risk signals |
| aws-lc | Homebrew | v5.1.0 | no executable entrypoint in the package index |
| aws-nuke | Homebrew | v3.65.0 | no executable entrypoint in the package index |
| aws-rotate-key | Homebrew | green risk, v1.2.0 | narrow executable package without higher-risk signals |
| aws-sam-cli | Homebrew | v1.163.0 | no executable entrypoint in the package index |
| aws-spiffe-workload-helper | Homebrew | green risk, v0.0.5 | narrow executable package without higher-risk signals |
| aws-sso-cli | Homebrew | v2.3.1 | no executable entrypoint in the package index |
| aws-sso-util | Homebrew | v4.33.0 | no executable entrypoint in the package index |
| aws2-wrap | Homebrew | green risk, v1.4.0 | narrow executable package without higher-risk signals |
| awscli-local | Homebrew | v0.22.2 | no executable entrypoint in the package index |
| awscurl | Homebrew | v0.44 | no executable entrypoint in the package index |
| awsume | Homebrew | v4.5.5 | no executable entrypoint in the package index |
| awsweeper | Homebrew | green risk, v0.12.0 | narrow executable package without higher-risk signals |
| azcopy | Homebrew | v10.32.5 | no executable entrypoint in the package index |
| azion | Homebrew | green risk, v4.22.2 | narrow executable package without higher-risk signals |
| azqr | Homebrew | green risk, v3.1.3 | narrow executable package without higher-risk signals |
| aztfexport | Homebrew | green risk, v0.19.0 | narrow executable package without higher-risk signals |
| azure-dev | Homebrew | v1.27.0 | no executable entrypoint in the package index |
| azurehound | Homebrew | green risk, v2.12.2 | narrow executable package without higher-risk signals |
| backplane-cli | Homebrew | v0.11.0 | no executable entrypoint in the package index |
| basti | Homebrew | v1.8.0 | no executable entrypoint in the package index |
| bigquery-emulator | Homebrew | v0.8.1 | no executable entrypoint in the package index |
| bom | Homebrew | green risk, v0.7.1 | narrow executable package without higher-risk signals |
| boringtun | Homebrew | green risk, v0.7.1 | narrow executable package without higher-risk signals |
| brigade-cli | Homebrew | green risk, v2.6.0 | narrow executable package without higher-risk signals |
| bubblewrap | Homebrew | green risk, v0.11.2 | narrow executable package without higher-risk signals |
| buildkit | Homebrew | v0.31.1 | no executable entrypoint in the package index |
| calicoctl | Homebrew | green risk, v3.32.1 | narrow executable package without higher-risk signals |
| cargo-chef | Homebrew | green risk, v0.1.77 | narrow executable package without higher-risk signals |
| cdk8s | Homebrew | v2.207.37 | no executable entrypoint in the package index |
| cfv | Homebrew | green risk, v3.2.0 | narrow executable package without higher-risk signals |
| chamber | Homebrew | green risk, v3.1.5 | narrow executable package without higher-risk signals |
| chart-releaser | Homebrew | green risk, v1.8.1 | narrow executable package without higher-risk signals |
| chart-testing | Homebrew | green risk, v3.14.0 | narrow executable package without higher-risk signals |
| cli53 | Homebrew | green risk, v0.9.0 | narrow executable package without higher-risk signals |
| cmctl | Homebrew | green risk, v2.5.0 | narrow executable package without higher-risk signals |
| cntb | Homebrew | green risk, v1.6 | narrow executable package without higher-risk signals |
| consul-template | Homebrew | green risk, v0.42.0 | narrow executable package without higher-risk signals |
| convox | Homebrew | v3.24.11 | no executable entrypoint in the package index |
| cozyhr | Homebrew | green risk, v1.6.1 | narrow executable package without higher-risk signals |
| crane | Homebrew | v0.21.7 | no executable entrypoint in the package index |
| crossplane | Homebrew | green risk, v2.4.0 | narrow executable package without higher-risk signals |
| dagger | Homebrew | green risk, v0.21.7 | narrow executable package without higher-risk signals |