The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides templates for generating shell scripts and Swift code. It specifically guides the agent to create a 'Helper App' in /Applications/ that executes arbitrary shell commands retrieved from the system clipboard using pbpaste. This is an architectural pattern used to escape macOS sandbox restrictions.
[COMMAND_EXECUTION]: The skill dynamically generates and compiles Swift code using xcodegen and xcodebuild, then installs the resulting binaries into /Applications/ and registers them with the system using pluginkit.
[COMMAND_EXECUTION]: The instruction set includes the creation of .workflow files in ~/Library/Services/ and the execution of system-level commands like killall Finder and /System/Library/CoreServices/pbs -update to register new services.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it takes untrusted user descriptions of desired actions and interpolates them directly into shell script templates and Swift code (e.g., ACTION_IMPLEMENTATION in FinderSync.swift). There are no explicit boundary markers or sanitization steps documented to prevent the generated code from performing unintended operations if the user input contains malicious instructions.
[COMMAND_EXECUTION]: The xcodegen-template.yml file includes configurations for entitlements that request broad filesystem access via com.apple.security.temporary-exception.files.absolute-path.read-write targeting the root path (/), which violates the principle of least privilege.

lovstudio-finder-action