releasing-macos-apps
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- PROMPT_INJECTION (MEDIUM): In Step 9 of
SKILL.md, the instructions explicitly direct the user/agent to usegit commit --no-verify. This is a direct instruction to bypass security controls (specifically gitleaks hooks) that are designed to prevent the accidental exposure of secrets in version control. - COMMAND_EXECUTION (HIGH): The skill defines multiple shell command blocks (
xcodebuild,xcrun,hdiutil,gh) that interpolate strings from local project files. This creates a significant indirect injection surface where a compromised project configuration file could lead to arbitrary command execution during the release process. - Ingestion points:
PROJECT.xcodeproj,.xcconfig, andappcast.xmlare read to extract versions and build settings. - Boundary markers: None. The agent is expected to interpolate variables directly into shell commands.
- Capability inventory: Full filesystem access, subprocess execution (
xcodebuild), and network operations (gh release,notarytool submit). - Sanitization: None. The skill assumes project metadata is trusted.
- CREDENTIALS_UNSAFE (MEDIUM): The workflow processes Apple ID credentials, app-specific passwords, and Sparkle private keys. It specifically suggests
echo "YOUR_SPARKLE_PRIVATE_KEY" | ..., which can expose the secret to process monitoring tools and potentially shell history depending on the environment configuration. - DYNAMIC_EXECUTION (MEDIUM): The skill relies on locating and executing binaries at computed paths (e.g.,
~/Library/Developer/Xcode/DerivedData/PROJECT-HASH/...), which is a form of dynamic loading that can be exploited if an attacker can influence thePROJECT-HASHor the contents of theDerivedDatadirectory.
Recommendations
- AI detected serious security threats
Audit Metadata