Skills
skills/aradotso/marketing-skills/ios-marketing-capture-automation/Gen Agent Trust Hub

ios-marketing-capture-automation

Warn

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill recommends installing dependencies from external, untrusted GitHub repositories (github.com/ParthJadhav/ios-marketing-capture and github.com/ParthJadhav/app-store-screenshots) using npx skills add and git clone.
  • [COMMAND_EXECUTION]: The provided capture-marketing.sh script executes various development commands including xcodebuild, xcrun simctl, and defaults. These commands interact with the host system's iOS simulator environment and filesystem.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting untrusted user data for build parameters.
  • Ingestion points: User-provided inputs for screens, elements, locales, device models, and simulator versions.
  • Boundary markers: None (the skill instructions do not specify using delimiters or ignore-instructions for these parameters).
  • Capability inventory: The shell script (capture-marketing.sh) performs subprocess calls and filesystem operations based on these variables.
  • Sanitization: None (the shell script uses variables like $DEVICE and $IOS_VERSION directly in grep and launch commands without validation).
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 16, 2026, 04:51 PM
Security Audit — agent-trust-hub — ios-marketing-capture-automation