clerk-swift
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its dynamic documentation fetching workflow.
- Ingestion points: The agent is instructed to read the
README.mdfrom the locally installedclerk-iospackage and subsequently fetch a remote markdown URL linked within that file to compile a checklist of setup steps. - Boundary markers: No instructions are provided to use delimiters or to ignore potential instructions embedded within the fetched external markdown content.
- Capability inventory: The agent has permissions to modify application source code, update project configurations (such as
.xcodeprojsettings), and add sensitive app capabilities or Associated Domains. - Sanitization: No sanitization, validation, or filtering logic is defined for the external content before it is used to influence the agent's implementation actions.
- [CREDENTIALS_UNSAFE]: The skill instructs the agent to wire the
CLERK_PUBLISHABLE_KEYdirectly into the application's configuration code. It explicitly advises against using standard indirection methods like environment variables,.plistfiles, or build settings for managing this value, which may lead to poor secret management practices even for non-sensitive publishable keys. - [EXTERNAL_DOWNLOADS]: The skill fetches setup instructions and configuration checklists from external markdown files. The source URLs are derived dynamically from the installed
clerk-iospackage's documentation. While these typically point to official vendor domains, this mechanism introduces a dependency on external content for critical project configuration steps.
Audit Metadata