ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Macos Spm App Packaging

Scaffold, build, and package SwiftPM-based macOS apps without an Xcode project. Use when you need a from-scratch macOS app layout, SwiftPM targets/resources, a custom .app bundle assembly script, or signing/notarization/appcast steps outside Xcode.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 2k · 4 current installs · 4 all-time installs
by@dimillian
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (SwiftPM macOS packaging, signing, notarization, appcast) aligns with the included templates and docs. The templates implement expected functionality: building, packaging, codesigning, notarization, and Sparkle appcast generation. Minor mismatch: registry metadata lists no required env vars, but the scripts and reference docs document several optional but sensitive environment variables used for notarization and Sparkle (APP_STORE_CONNECT_*, SPARKLE_PRIVATE_KEY_FILE, APP_IDENTITY).
!
Instruction Scope
SKILL.md and templates instruct running build/package/sign/notarize flows and include scripts that: call git, swift build/test, lipo, codesign, xcrun notarytool, spctl, security import, openssl and write temporary files in /tmp. The scripts will write an App Store Connect key file from an env var, import a generated PKCS#12 into the user's login keychain, and remove temp files—these are beyond simple file scaffolding and modify system state. The SKILL.md does not instruct arbitrary data exfiltration, but the scripts reference environment variables and system commands that are sensitive and can affect the user's keychain and signing identities.
Install Mechanism
No install spec (instruction-only with included template files). No network downloads or remote installers are embedded in the skill. All code is present in the template files so nothing external is fetched by the skill itself.
!
Credentials
The skill metadata declares no required environment variables, yet several templates and the release docs rely on sensitive env vars at runtime: APP_STORE_CONNECT_API_KEY_P8, APP_STORE_CONNECT_KEY_ID, APP_STORE_CONNECT_ISSUER_ID (notarization), SPARKLE_PRIVATE_KEY_FILE / SPARKLE_DOWNLOAD_URL_PREFIX / SPARKLE_RELEASE_VERSION (appcast), APP_IDENTITY, and optional APP_ENTITLEMENTS. These credentials are reasonable for notarization/appcast flows but are sensitive; scripts write API key contents to /tmp and import certificates into the login keychain—actions that should be made explicit to users and not assumed safe.
!
Persistence & Privilege
The skill does not request 'always' or persistent inclusion, but some templates (setup_dev_signing.sh) create certificates and import them into the user's login keychain (security import). That modifies system state and can create persistent signing identities. sign-and-notarize.sh uses the App Store Connect key written into /tmp for notarytool operations. These behaviors require the user's explicit consent and careful review because they affect system-level trust and signing configuration.
What to consider before installing
This skill appears to provide legitimate macOS SwiftPM packaging workflows, but several scripts perform sensitive actions. Before using/installing: 1) Review the scripts line-by-line (especially setup_dev_signing.sh and sign-and-notarize.sh). 2) Do not paste private keys or App Store Connect key material into an agent or into environment variables unless you trust the source; the scripts write keys to /tmp and call notarization APIs. 3) Be aware setup_dev_signing.sh will create and import a certificate into your login keychain—only run it if you understand and accept that change, and prefer to create/import certs manually in Keychain Access. 4) Run these scripts in an isolated/test environment (or VM) first. 5) Prefer obtaining this tooling from a repository with a known maintainer, commit history, and checksums; lack of a homepage/source URL is an additional risk. If you provide the App Store Connect/P8 key or Sparkle private key, ensure you rotate or audit use afterward. Additional information that would increase confidence: a public source repo, maintainer identity, release signatures/checksums, and an explicit manifest of which env vars are required vs optional.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk974bbq374p2g93d50r3cnhaz57yt7vr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

macOS SwiftPM App Packaging (No Xcode)

Overview

Bootstrap a complete SwiftPM macOS app folder, then build, package, and run it without Xcode. Use assets/templates/bootstrap/ for the starter layout and references/packaging.md + references/release.md for packaging and release details.

Two-Step Workflow

  1. Bootstrap the project folder

    • Copy assets/templates/bootstrap/ into a new repo.
    • Rename MyApp in Package.swift, Sources/MyApp/, and version.env.
    • Customize APP_NAME, BUNDLE_ID, and versions.

  2. Build, package, and run the bootstrapped app

    • Copy scripts from assets/templates/ into your repo (for example, Scripts/).
    • Build/tests: swift build and swift test.
    • Package: Scripts/package_app.sh.
    • Run: Scripts/compile_and_run.sh (preferred) or Scripts/launch.sh.
    • Release (optional): Scripts/sign-and-notarize.sh and Scripts/make_appcast.sh.
    • Tag + GitHub release (optional): create a git tag, upload the zip/appcast to the GitHub release, and publish.

Templates

  • assets/templates/package_app.sh: Build binaries, create the .app bundle, copy resources, sign.
  • assets/templates/compile_and_run.sh: Dev loop to kill running app, package, launch.
  • assets/templates/build_icon.sh: Generate .icns from an Icon Composer file (requires Xcode install).
  • assets/templates/sign-and-notarize.sh: Notarize, staple, and zip a release build.
  • assets/templates/make_appcast.sh: Generate Sparkle appcast entries for updates.
  • assets/templates/setup_dev_signing.sh: Create a stable dev code-signing identity.
  • assets/templates/launch.sh: Simple launcher for a packaged .app.
  • assets/templates/version.env: Example version file consumed by packaging scripts.
  • assets/templates/bootstrap/: Minimal SwiftPM macOS app skeleton (Package.swift, Sources/, version.env).

Notes

  • Keep entitlements and signing configuration explicit; edit the template scripts instead of reimplementing.
  • Remove Sparkle steps if you do not use Sparkle for updates.
  • Sparkle relies on the bundle build number (CFBundleVersion), so BUILD_NUMBER in version.env must increase for each update.
  • For menu bar apps, set MENU_BAR_APP=1 when packaging to emit LSUIElement in Info.plist.

Files

15 total
Select a file
Select a file to preview.

Comments

Loading comments…