macos-spm-app-packaging
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection through project configuration files. Build scripts source
version.envdirectly into the shell environment without validation, which allows for arbitrary code execution if the project source is malicious. - Ingestion points:
package_app.sh,sign-and-notarize.sh(sourcesversion.env) - Boundary markers: None
- Capability inventory: Full command execution, file system manipulation, and keychain access
- Sanitization: None; the scripts use the shell
sourcecommand on external files. - CREDENTIALS_UNSAFE (LOW): The
sign-and-notarize.shscript handles sensitive App Store Connect API keys by writing them to a temporary file in/tmp/app-store-connect-key.p8. Storing credentials in globally accessible directories like/tmp, even temporarily, risks exposure on multi-user systems. - COMMAND_EXECUTION (LOW): The skill relies on a suite of shell scripts that execute numerous high-privilege commands, including code signing and keychain modifications (
setup_dev_signing.sh). These operations are appropriate for build tools but present an exploitable surface if the skill is used to process untrusted code repositories.
Audit Metadata