ios-simulator
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The installation instructions direct users to download and add the skill from an untrusted GitHub repository ('https://github.com/tristanmanchester/agent-skills') which is not on the verified provider list.
- [REMOTE_CODE_EXECUTION] (HIGH): The skill promotes the use of 'npx skills add' against an untrusted remote source and suggests running 'pip install' for 'fb-idb' and 'brew install' for 'idb-companion' without version pinning or integrity checks.
- [COMMAND_EXECUTION] (HIGH): The skill acts as a wrapper for high-privilege system utilities ('xcrun simctl', 'idb', 'xcode-select'). Destructive commands such as 'erase' and 'delete' are exposed to the agent, which can lead to data loss if triggered by a malicious prompt.
- [PROMPT_INJECTION] (HIGH): Significant Indirect Prompt Injection vulnerability (Category 8).
- Ingestion points: The skill ingests untrusted data from simulator environments via 'ui tree', 'ui summary', 'clipboard get', and 'logs show' (SKILL.md).
- Boundary markers: Absent. There are no instructions or delimiters provided to prevent the agent from following commands embedded within app UI labels or logs.
- Capability inventory: The agent can execute destructive commands ('erase --yes', 'delete --yes'), manipulate the network layer ('openurl'), and modify system state ('privacy grant', 'app install').
- Sanitization: Absent. No mechanisms are described for sanitizing or escaping the data pulled from the simulator before it is processed by the AI.
- [DATA_EXFILTRATION] (MEDIUM): The skill provides tools to read the simulator clipboard ('clipboard get') and capture the screen ('screenshot'), which could be used to harvest sensitive information from the user's testing environment.
Recommendations
- AI detected serious security threats
Audit Metadata