macos-spm-app-packaging
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill includes shell scripts for automating macOS application packaging. These scripts interact with system tools such as codesign, xcrun, lipo, and ditto to create .app bundles and sign them.
- [CREDENTIALS_UNSAFE]: The signing and notarization templates (e.g., sign-and-notarize.sh) handle sensitive App Store Connect API keys and private certificates. These are passed via environment variables and written to temporary files in the /tmp directory. While these files are deleted upon script completion, their presence in a shared directory during execution represents a potential credential exposure risk.
Audit Metadata