add-component

This ShipSwift 'add-component' skill is functionally coherent with its stated purpose (discovering and inserting SwiftUI recipes). However it relies on third‑party infrastructure (api.shipswift.app) and instructs users to install a third‑party skill via npx and to set a long‑lived SHIPSWIFT_API_KEY environment variable. Those practices introduce supply‑chain and credential‑forwarding risks: an attacker who controls the recipe server or the installed skill package could deliver malicious code into a user's project or misuse the forwarded API key. The content does not contain direct exploit code or explicit exfiltration commands, so it is not confirmed malware, but the combination of installing third‑party code, registering an MCP server, and forwarding credentials is high‑impact and requires caution. Recommendations: validate the ShipSwift service and its package provenance, avoid exporting sensitive keys until you trust the provider, prefer scoped short‑lived credentials or per‑action OAuth flows if possible, review fetched recipes before inserting into source, and limit the agent's automated write/execute permissions.