The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses subprocess.run in scripts/run_workflow.py to invoke a bundled shell script. The command is constructed as a list of arguments rather than a single shell string, which is a security best practice that prevents shell injection vulnerabilities.
[COMMAND_EXECUTION]: The shell script scripts/bootstrap_swift_package.sh executes swift package init, git init, swift build, and swift test. These operations are central to the skill's purpose of scaffolding and validating a Swift project. The script includes input validation for the --name parameter using a regular expression (^[A-Za-z][A-Za-z0-9_-]*$) and uses allow-lists for other parameters like --type and --platform.
[EXTERNAL_DOWNLOADS]: The Python scripts (scripts/run_workflow.py and scripts/customization_config.py) declare a dependency on the well-known PyYAML library using the uv script runner syntax. This is a standard method for managing dependencies in standalone Python scripts.
[DATA_EXFILTRATION]: The skill manages its own state by reading and writing to a local configuration file at ~/.config/gaelic-ghost/apple-dev-skills/apple-swift-package-bootstrap/customization.yaml. This is a standard practice for CLI tools to persist user preferences and does not involve network exfiltration.
[REMOTE_CODE_EXECUTION]: While the skill executes swift build and swift test on the newly created scaffold, these commands operate on code generated by the official swift package init tool and local templates, representing a standard developer workflow rather than an arbitrary remote code execution risk.

apple-swift-package-bootstrap