ios-hig-design-guide
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill includes a Python script (
scripts/sync_apple_hig_sources.py) that fetches design documentation and metadata from Apple's official developer portal. - Source URL:
https://developer.apple.com/tutorials/data/index/design--human-interface-guidelinesand sub-paths. - Behavior: Downloads JSON data using standard libraries and saves it locally to the
references/directory. - [COMMAND_EXECUTION]: The
SKILL.mdinstructions guide the user to run a local Python script to synchronize the source data. - Command:
python3 scripts/sync_apple_hig_sources.py --skill-dir .. - Scope: The script performs file I/O within the skill directory and network requests to trusted Apple domains.
- [PROMPT_INJECTION]: The skill processes external data fetched from the Apple HIG, which represents a surface for indirect prompt injection.
- Ingestion points: External content is fetched by the sync script and stored in
references/raw/pages/. - Boundary markers: The workflow instructions emphasize reading only relevant sections and citing source paths, though explicit delimiters (like XML tags) are not defined in the prompt templates.
- Capability inventory: The skill is restricted to reading local markdown files and running a specific synchronization script. No arbitrary shell execution or external write capabilities are present.
- Sanitization: The script parses JSON and extracts text fragments, treating the content as trusted documentation from a well-known service.
Audit Metadata