The Agent Skills Directory

[COMMAND_EXECUTION]: The diagnostic script scripts/quick-diagnostic.sh is vulnerable to arbitrary command injection due to the use of eval on unsanitized script arguments.
Evidence: The script constructs a BUILD_CMD string using variables $SCHEME, $WORKSPACE, and $CONFIGURATION which are then executed via eval "$BUILD_CMD" on line 185.
Risk: If an attacker can influence these parameters (e.g., via a malicious project name or configuration found in a repository the agent is analyzing), they could execute arbitrary shell commands on the host system.
[EXTERNAL_DOWNLOADS]: The skill documentation and scripts facilitate the download of third-party dependencies from external repositories.
Evidence: Instructions and references include the use of pod install --repo-update and swift package resolve to fetch external modules.
Context: While these are standard developer operations, they involve downloading and potentially executing code from remote sources (GitHub, CocoaPods CDN).
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted project data and build logs without sanitization or strict boundary markers.
Ingestion points: The skill reads build error logs, file contents, and project configuration files (Package.swift, Podfile, .xcworkspace).
Boundary markers: No delimiters or explicit instructions are provided to the agent to ignore instructions embedded within the files being analyzed.
Capability inventory: The skill utilizes powerful CLI tools including xcodebuild, swiftc, pod, and the security utility, alongside the vulnerable quick-diagnostic.sh script.
Sanitization: No evidence of input validation, escaping, or filtering of content extracted from the project environment before it is passed to shell commands or the diagnostic script.

xcode-build-resolver