Skills
skills/tddworks/claude-skills/ios-app-scaffold/Gen Agent Trust Hub

ios-app-scaffold

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • REMOTE_CODE_EXECUTION (CRITICAL): Confirmed detection of a piped shell execution pattern (curl -Ls https://install.tuist.io | bash). This executes remote code from a non-trusted domain without validation, which is a high-risk pattern for host compromise.
  • EXTERNAL_DOWNLOADS (MEDIUM): The skill installs the Mockable dependency from an untrusted GitHub account (Kolos65/Mockable.git), creating a supply chain risk.
  • COMMAND_EXECUTION (LOW): The skill relies on executing a local Python script (scaffold.py) and the tuist CLI to perform its primary function.
  • PROMPT_INJECTION (LOW): Vulnerable to indirect prompt injection. 1. Ingestion points: AppName and bundle-id parameters in scaffold.py. 2. Boundary markers: None present. 3. Capability inventory: Writing code files and directories to the local filesystem. 4. Sanitization: No sanitization logic is visible in the provided architecture or skill instructions.
Recommendations
  • HIGH: Downloads and executes remote code from: https://install.tuist.io - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
CRITICAL
Analyzed
Feb 17, 2026, 06:31 PM