macos-spm-app-packaging
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill utilizes several shell scripts (e.g.,
package_app.sh,compile_and_run.sh) to automate the build process. These scripts execute system commands and thepackage_app.shscript specifically uses thesourcecommand to loadversion.env. This creates a risk where malicious shell code in a configuration file could be executed with the user's privileges.\n- [CREDENTIALS_UNSAFE] (MEDIUM): Thesign-and-notarize.shscript processes theAPP_STORE_CONNECT_API_KEY_P8environment variable by writing it to/tmp/app-store-connect-key.p8. This location is typically world-readable on macOS (via/private/tmp), and although a cleanup trap is present, the key remains exposed if the script is interrupted or the system crashes during execution.\n- [PROMPT_INJECTION] (MEDIUM): Thepackage_app.shscript is vulnerable to indirect configuration injection when generating theInfo.plistfile.\n - Ingestion points:
APP_NAMEandBUNDLE_IDvariables inpackage_app.sh.\n - Boundary markers: XML tags are used for the PLIST structure but do not sanitize inputs against tag injection.\n
- Capability inventory: Modifies the application's
Info.plist, which defines security settings, identity, and behavior of the generated macOS bundle.\n - Sanitization: No validation or escaping is performed on variables before they are interpolated into the XML template.
Audit Metadata