build-ios-apps
Fail
Audited by Snyk on Jul 6, 2026
Risk Level: CRITICAL
Full Analysis
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask for and embed secrets verbatim (Apple ID password in auth commands and API keys via
ios-cli login <api-key>) and to print tokenized preview/install URLs (JWTs) verbatim, which requires the LLM to handle secret values directly and risks exfiltration.
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). These are a mixed set: Apple and well-known GitHub links (realm, supabase, developer.apple.com, testflight) are low-risk, but several direct archive/OTA install endpoints and non-standard hosting (iosbuilds.composerapi.com raw-builds/*.tar.gz, ios.chorus.com install/api endpoints, chorus.host and other custom upload URLs) are direct-distribution channels for signed apps and archives — which are commonly used to deliver executables and thus represent a potentially risky download source if the signing service or account is untrusted or tampered with.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). This skill invokes the Vibecode signing service at runtime (SIGNING_SERVICE_URL default https://ios.chorus.com) and consumes build artifacts hosted at https://iosbuilds.composerapi.com, both of which the pipeline downloads/executes as part of cloud build/sign workflows, making them required runtime endpoints that execute remote code.
Issues (3)
W007
HIGHInsecure credential handling detected in skill instructions.
E005
CRITICALSuspicious download URL detected in skill instructions.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata