macos-menubar-tuist-app
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions involve executing shell commands, specifically 'tuist build' for project validation and local scripts like 'run-menubar.sh' and 'stop-menubar.sh' for application lifecycle management.
- [EXTERNAL_DOWNLOADS]: The workflow incorporates using 'curl' to interact with external API endpoints to verify data schemas and authentication requirements during development.
- [PROMPT_INJECTION]: An indirect prompt injection surface is present as the skill processes content from local project files (Tuist manifests and shell scripts) and external API responses, which are untrusted data sources. Evidence Chain: 1. Ingestion points: 'Project.swift', 'Tuist.swift', 'run-menubar.sh', and API responses via 'curl'. 2. Boundary markers: None specified for data interpolation. 3. Capability inventory: 'tuist build', local script execution, and 'curl' network operations. 4. Sanitization: No sanitization or validation of external content is mentioned.
Audit Metadata