The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill automatically installs the 'blitz' package globally via npm install -g blitz if it is not found on the system path. This installation is unpinned (no version specified) and occurs automatically during the 'prepare' phase.
[COMMAND_EXECUTION]: The run.sh script executes various high-privilege Apple developer tools (xcodebuild, xcrun simctl) and the blitz CLI based on values parsed from a local codex.blitz.toml file.
[REMOTE_CODE_EXECUTION]: The script uses bash -lc "$install_cmd" to execute an installation command that can be overridden by the environment variable BLITZ_INSTALL_CMD. While this is an environment variable, the default behavior of automatically running an installer during a 'smoke test' increases the risk of executing arbitrary code if the registry or package is compromised.
[COMMAND_EXECUTION]: The config_value and resolver_config_value functions in run.sh use awk to parse codex.blitz.toml. While it attempts to trim values, the extracted strings (like project_path, workspace_path, and scheme) are later interpolated into shell commands for xcodebuild. Maliciously crafted configuration files in a repository could lead to command injection if not properly sanitized.

blitz-app-smoke