Security audit

Swiftdata Code Review

Security checks across malware telemetry and agentic risk

Overview

This is a SwiftData code-review guide made only of Markdown reference files, with no evidence of hidden execution or sensitive access.

Safe to install for SwiftData-focused code review. Treat the migration examples as review guidance, but verify any migration code against Apple SwiftData behavior before applying it because one sample may be technically inconsistent.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The documented custom migration fetches `UsersSchemaV1.User` records and then reads `user.email`, but `UsersSchemaV1.User` only defines `name` in the earlier schema example. This is an active contradiction within the documentation: the example claims to show correct migration practice, yet the code as written cannot match the declared schema shape.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal