xcode-project-analyzer
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: No malicious patterns or security vulnerabilities were identified during the analysis.
- [DATA_EXPOSURE]: The skill references several external resources for documentation and best practices. These include Apple's developer portal, Bitrise, RocketSim, and the author's own technical blog (avanderlee.com). All referenced domains are well-known services or legitimate vendor resources associated with the skill's primary purpose.
- [COMMAND_EXECUTION]: Although the skill is designed to modify Xcode project files and build scripts, it explicitly requires an approval gate. It instructs the agent to obtain explicit developer permission before making any changes to project files, schemes, or build settings.
- [PROMPT_INJECTION]: The skill contains standard operational instructions for auditing and reporting. It includes a workflow to hand off specific tasks to related skills (e.g.,
spm-build-analysis), which is a common pattern for modular AI agent skills and does not represent an attempt to bypass safety guidelines. - [INDIRECT_PROMPT_INJECTION]: The skill's core function involves processing external, potentially untrusted data such as Xcode project files and build logs. While this creates a data ingestion surface, the skill treats this data as configuration to be audited rather than instructions to be executed. The risk of indirect injection is low, given the specific domain of build settings analysis.
Audit Metadata