Apple Developer Toolkit

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Apple development toolkit, but users should handle its App Store and LLM credentials carefully.

Install only if you trust the third-party Homebrew package and need App Store Connect automation. Prefer a private-key file or keychain-backed auth over raw private-key environment variables, avoid debug mode around secrets, and review any hook configuration before enabling automation that can publish builds, push git tags, or send notifications.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill explicitly documents raw private-key environment variables (`APPSTORE_PRIVATE_KEY`, `APPSTORE_PRIVATE_KEY_B64`) and a debug flag without any warning about secret exposure through shell history, process environments, logs, or CI output. In a skill that manages App Store Connect credentials, this omission can lead users to handle highly sensitive signing/authentication material insecurely, increasing the chance of credential leakage.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal