build-macos-apps
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill extensively uses macOS CLI tools for the full application lifecycle, including
xcodebuildfor compilation,xcrunfor developer utilities,lldbfor debugging, andinstruments/xctracefor profiling. It also includes commands to modify system-level settings like the active Xcode developer directory viasudo xcode-selectand network proxy settings vianetworksetup. Additionally, it suggests persisting convenience aliases by modifying shell configuration files like~/.zshrcor~/.bashrc(referenced inreferences/cli-workflow.md).- [EXTERNAL_DOWNLOADS]: The reference guides recommend installing several external development tools through package managers like Homebrew and RubyGems. These includexcodegen,mitmproxy,xcbeautify,xcpretty, andxcsift. It also integrates well-known libraries such asAlamofirefor networking andSparklefor application updates via Swift Package Manager (referenced inreferences/macos-polish.mdandreferences/networking.md).- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes data from external sources that could be influenced by an attacker. Specifically, build logs, crash reports, and network traffic captured bymitmproxyare analyzed by the agent to diagnose issues. - Ingestion points: Build error logs from
xcodebuild(processed viaxcsiftas described inreferences/cli-observability.md), runtime logs fromlog stream, crash reports in.ipsformat (referenced inworkflows/debug-app.md), and network traffic dumps frommitmdump. - Boundary markers: Absent; the workflows do not specify clear delimiters or instructions for the agent to ignore potentially malicious content embedded within these tool outputs.
- Capability inventory: Across its various scripts and reference files (e.g.,
references/system-apis.md,references/cli-workflow.md), the agent has the authority to execute shell commands, write to the filesystem, and perform network requests. - Sanitization: Absent; there is no evidence of sanitization or filtering applied to external content before it is processed by the agent.
Audit Metadata