init-xcode-app

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses local CLI tools including xcodegen, xcodebuild, and node to generate, build, and verify the project structure. These operations are standard for the stated purpose of scaffolding an Xcode project.
  • [EXTERNAL_DOWNLOADS]: The CI configuration (assets/modules/ci/ci.yml) includes steps to install xcodegen and swiftlint via Homebrew within a GitHub Actions environment. These are well-known and standard development tools.
  • [PROMPT_INJECTION]: The skill includes functionality to ingest an optional jtbd.json file to populate project documentation and agent guidelines. This creates a surface for indirect prompt injection where instructions in the source file could influence an agent reading the generated project.
  • Ingestion points: jtbd.json processed by scripts/render-jtbd.sh.
  • Boundary markers: Absent in the templating logic.
  • Capability inventory: The skill performs file system operations, build commands, and script execution to initialize the project.
  • Sanitization: No sanitization is performed on the data substituted into the templates.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 01:17 AM
Security Audit — agent-trust-hub — init-xcode-app