The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill ingests untrusted data from the iOS simulator environment which can be controlled by third-party applications. This creates a high-risk surface where an agent can be manipulated by the app it is testing.
Ingestion points: scripts/common/idb_utils.py (reads accessibility tree), scripts/push_notification.py (reads payload files), and scripts/app_launcher.py (reads app metadata).
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands in the processed UI data.
Capability inventory: High-impact capabilities including simctl calls for app installation, simulator deletion (simctl_delete.py), and deep link navigation (open_url).
Sanitization: Absent. The skill does not sanitize or validate the content of the UI tree before presenting it to the agent.
[Command Execution] (MEDIUM): Multiple scripts utilize subprocess.run to execute xcrun simctl and idb commands with arguments derived from external input like bundle IDs and URLs. While arguments are passed as lists to mitigate shell injection, the high-privilege nature of the actions (e.g., uninstall, erase, delete) remains a risk under agent manipulation.
[Data Exposure] (LOW): scripts/push_notification.py and scripts/visual_diff.py allow reading local files based on path arguments. While restricted by json.load and Image.open respectively, this could be used to probe the existence or content of files on the host system if the agent is tricked.

ios-simulator-skill