widget-generator

Pass

Audited by Gen Agent Trust Hub on Jun 18, 2026

Risk Level: SAFE
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses search tools (Grep and Glob) and the Bash tool to inspect the local filesystem. This is used solely to detect existing WidgetKit implementations, verify project structure, and identify target directories to prevent file conflicts during generation.
  • [EXTERNAL_DOWNLOADS]: Includes references to official Apple developer documentation and human interface guidelines for WidgetKit. These are trusted sources provided for developer guidance and do not involve the execution of remote scripts.
  • [DATA_EXFILTRATION]: Provided templates include standard code for iOS App Groups, using UserDefaults(suiteName:) and FileManager.default.containerURL(forSecurityApplicationGroupIdentifier:). These are standard, required mechanisms for sharing data between an app and its widget extension and do not constitute exfiltration.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface as it ingests user input via AskUserQuestion and project metadata via file searches to populate code templates. However, this is limited to the intended primary purpose of code generation and does not involve autonomous execution of the resulting strings.
  • Ingestion points: User responses to configuration questions and Grep/Glob results from the project files.
  • Boundary markers: Absent in the template interpolation logic.
  • Capability inventory: Includes Write, Edit, and Bash tools.
  • Sanitization: Not explicitly mentioned in the generation logic.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 18, 2026, 05:18 PM
Security Audit — agent-trust-hub — widget-generator