apple-dev-docs

The provided input is an opaque binary/packed archive (likely containing git/npm package objects). From the visible fragment there is no clear evidence of malicious code (no C2 domains, hard-coded credentials, or reverse-shell patterns in plaintext). However, meaningful security assessment cannot be completed without extracting and reviewing the contained files. Treat this artifact as untrusted: extract and analyze it in a sandboxed environment, inspect package metadata and any install scripts, and perform static and dynamic analysis before installing or executing any components. Until such review is completed, moderate caution is warranted.

[Skill Scanner] [Documentation context] Installation of third-party script detected This skill's described functionality is coherent with its purpose (doc search, App Store Connect management, and an iOS app builder). However, it relies on installing third-party binaries from a personal Homebrew tap and running a local setup script, and it instructs users to supply private App Store Connect keys to those tools. Those patterns are high-risk supply-chain signals: download-and-execute from unverified sources, lack of pinned versions or checksums, and potential credential forwarding to untrusted code. There is no direct evidence of embedded malware in the text, but the installation and execution model creates a meaningful risk of credential exposure or arbitrary code execution if the tapped packages or setup script are malicious or compromised. Recommend treating this skill as suspicious/vulnerable: verify the Homebrew tap and setup scripts' source code before use, prefer official distribution channels, require checksums/pinned versions, and avoid supplying private keys to third-party binaries you cannot audit. LLM verification: [LLM Escalated] The skill documentation reasonably describes useful Apple developer workflows, but the delivery model presents clear supply-chain and credential-handling risks. Primary concerns: installing prebuilt binaries from an unverified Homebrew tap, executing a setup script (download-and-execute), and providing long-lived private App Store Connect keys to third-party CLIs that may contact external services (including LLMs). Treat this package as suspicious until provenance of binaries and scripts is veri