Skills
skills/avdlee/swiftui-agent-skill/swiftui-expert-skill/Gen Agent Trust Hub

swiftui-expert-skill

Pass

Audited by Gen Agent Trust Hub on May 17, 2026

Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes local shell commands to interact with the system's xctrace utility for recording and exporting performance data.
  • Evidence:
  • scripts/record_trace.py uses subprocess.Popen to manage xctrace record sessions.
  • scripts/instruments_parser/xctrace.py uses subprocess.run to call xctrace export and xctrace version.
  • Context: All subprocess calls use the list-based argument format, which is a secure practice that prevents shell injection vulnerabilities. The commands are strictly scoped to legitimate performance profiling tasks.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes external data (Instruments .trace files) that could theoretically contain untrusted strings.
  • Ingestion points: scripts/analyze_trace.py parses trace data provided by the user.
  • Boundary markers: The analysis results are presented to the agent in structured JSON or Markdown formats.
  • Capability inventory: The skill can execute local profiling commands and read/write files as directed by the user.
  • Sanitization: The scripts use standard XML parsing and handle extracted data as literal strings without dynamic evaluation. While the ingestion of external performance data represents a theoretical injection surface, the risk is negligible given the structured nature of the data and the intended developer-centric use case.
Audit Metadata
Risk Level
SAFE
Analyzed
May 17, 2026, 08:26 PM
Security Audit — agent-trust-hub — swiftui-expert-skill