widget-generator
Pass
Audited by Gen Agent Trust Hub on Jun 18, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses search tools (Grep and Glob) and the Bash tool to inspect the local filesystem. This is used solely to detect existing WidgetKit implementations, verify project structure, and identify target directories to prevent file conflicts during generation.
- [EXTERNAL_DOWNLOADS]: Includes references to official Apple developer documentation and human interface guidelines for WidgetKit. These are trusted sources provided for developer guidance and do not involve the execution of remote scripts.
- [DATA_EXFILTRATION]: Provided templates include standard code for iOS App Groups, using
UserDefaults(suiteName:)andFileManager.default.containerURL(forSecurityApplicationGroupIdentifier:). These are standard, required mechanisms for sharing data between an app and its widget extension and do not constitute exfiltration. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests user input via
AskUserQuestionand project metadata via file searches to populate code templates. However, this is limited to the intended primary purpose of code generation and does not involve autonomous execution of the resulting strings. - Ingestion points: User responses to configuration questions and Grep/Glob results from the project files.
- Boundary markers: Absent in the template interpolation logic.
- Capability inventory: Includes
Write,Edit, andBashtools. - Sanitization: Not explicitly mentioned in the generation logic.
Audit Metadata