ClawHub
Back to skill

Security audit

Ios Mac App Dev

Security checks across malware telemetry and agentic risk

Overview

This is a coherent iOS/macOS development helper, with some workflow steps that should be run with normal confirmation before modifying project or Issue Tracker state.

Reasonable to install for iOS/macOS development if you keep agent confirmations enabled for repository scans, file writes, generated reports, and Issue Tracker publishing. Verify Apple-policy guidance before relying on it, because the included policy monitor appears static rather than a live authoritative fetcher.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises capabilities that imply reading, writing, and network-backed automation, but no explicit permission model or disclosure is declared. That creates a trust and containment problem: users may trigger repository scanning or remote fetching behavior without clear consent boundaries, increasing the risk of unintended data access or exfiltration in an agent environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose emphasizes app-development guidance, but the implementation is prepared to perform network retrieval and repository-wide static scanning that are not clearly and narrowly disclosed. In an agent setting, this mismatch is dangerous because users may invoke what appears to be a harmless advisory skill while it accesses local source trees or external resources beyond their expectations.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The sample adaptive color logic is inverted: when `userInterfaceStyle == .dark`, it returns the light color, and otherwise returns the dark color. In a development skill focused on iOS/macOS app implementation, users may copy this code directly into production, causing incorrect dark-mode rendering, degraded readability, and possible accessibility/compliance issues.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The workflow first assures the model it will only write an HTML report to a temporary directory and 'not touch the repo', but later instructs modifying repository files such as CONTEXT.md and possibly creating an ADR. This mismatch can defeat user expectations and safety guardrails around write scope, causing unintended repository modifications during what appears to be a read/report-only phase.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The document contains internally conflicting instructions: it says '不碰 repo 里的东西' while later directing edits to files in the repository. In agentic systems, contradictory scope instructions are dangerous because the more permissive action may be followed, resulting in unauthorized or surprising file changes.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match many ordinary software-development prompts, increasing the chance of accidental activation. Unintended invocation matters here because the skill appears able to scan files and use the network, so overbroad routing can expose more project data or cause actions the user did not specifically request.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The condition 'any issue involving Apple development policy' is ambiguous and can capture a very wide range of unrelated or sensitive requests. Because this skill includes compliance monitoring and network-oriented behavior, such ambiguity increases the likelihood of unnecessary activation and overcollection or overprocessing of project context.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The file is entirely written in Chinese and does not provide a language choice, fallback, or opt-in mechanism. In a general-purpose development skill, this can exclude or mislead users who do not read Chinese, causing requirement clarification to fail and increasing the chance of downstream implementation, compliance, or safety mistakes.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases include very generic requests such as '生成 PRD', '写个需求文档', and '整理一下需求', which can overlap with ordinary conversation and cause the skill to activate outside the user's intended scope. In an agentic environment, accidental activation can lead to unintended repository reads, architectural inference, or downstream write/publish actions without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow instructs the agent to publish the generated PRD to an Issue Tracker or write into `docs/prd/` and apply a label, but it does not require explicit user confirmation, dry-run output, or warnings about modifying project state. Because this skill also reads repository context earlier in the workflow, accidental or over-broad activation could turn passive analysis into persistent external changes, creating integrity, privacy, and workflow-disruption risks.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger examples include very broad, everyday phrases such as “拆任务” and “怎么排期”, which can cause the skill to activate outside clearly scoped iOS/macOS development contexts. Over-broad activation increases the chance of unintended tool use or context capture, especially if the agent can read conversation state or interact with external systems like an Issue Tracker.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad everyday expressions such as '诊断一下' and '帮我查一下', which can overlap with normal conversation and cause the skill to activate when the user did not explicitly request this workflow. In an agent system, overbroad activation can redirect unrelated requests into this skill, causing confusing behavior, policy bypass opportunities through unintended routing, or reduced reliability of tool selection.

Natural-Language Policy Violations

Medium
Confidence
71% confidence
Finding
The file is entirely written as a Chinese-only workflow and does not indicate language negotiation or fallback behavior. In a multilingual agent environment, this can lead to user misunderstanding, incorrect execution of debugging steps, or missed safety/compliance nuances when the user's preferred language differs, though it is primarily a usability and reliability issue rather than a direct security exploit.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal