Macos Spm App Packaging
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent macOS app packaging template with expected local build, signing, and release scripts, but users should review the scripts before running credential-backed release steps.
This skill appears safe for its stated purpose. Before running it, review the shell scripts, use it only in a trusted macOS development project, and provide Apple/Sparkle signing credentials only when you intentionally perform release notarization or appcast generation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the template can execute local project configuration, build code, and replace the generated .app bundle.
The packaging template executes shell commands and shell-sources a project version file before building and replacing the app bundle. This is expected for a build/package script, but it means the user should treat the project files and script as executable code.
if [[ -f "$ROOT/version.env" ]]; then
source "$ROOT/version.env"
...
for ARCH in "${ARCH_LIST[@]}"; do
swift build -c "$CONF" --arch "$ARCH"
done
...
rm -rf "$APP"Run these scripts only in a trusted project directory, review version.env and copied scripts before execution, and avoid using untrusted repository contents as packaging input.
If used, the script can act with the user's Apple developer notarization credentials for the app being packaged.
The notarization flow requires App Store Connect credentials and writes the private key material to a temporary file for Apple's notarytool. This is purpose-aligned for notarization, but it is sensitive credential handling.
if [[ -z "${APP_STORE_CONNECT_API_KEY_P8:-}" || -z "${APP_STORE_CONNECT_KEY_ID:-}" || -z "${APP_STORE_CONNECT_ISSUER_ID:-}" ]]; then
...
echo "$APP_STORE_CONNECT_API_KEY_P8" | sed 's/\\n/\n/g' > /tmp/app-store-connect-key.p8
...
xcrun notarytool submitUse a scoped App Store Connect API key, protect the environment variables, and consider changing the template to use a unique chmod 600 temporary key file.
Running this helper creates a persistent local code-signing identity in the user's keychain.
The optional development signing helper imports a generated certificate into the user's login keychain and grants access to codesign/security. This is expected for stable local code signing, but it changes the user's signing environment.
security import /tmp/dev.p12 -k ~/Library/Keychains/login.keychain-db \ -T /usr/bin/codesign -T /usr/bin/security
Run it only if you want a local development signing identity, verify the certificate in Keychain Access, and remove it if it is no longer needed.
Users may not see the macOS toolchain and optional credential requirements until reading or running the scripts.
The registry metadata does not declare the developer tools and optional credentials used by the templates, even though the scripts and references require macOS build/signing/notarization tooling. This is an under-declaration rather than hidden behavior because the scripts disclose their commands.
Required binaries (all must exist): none Required env vars: none Env var declarations: none
Declare the expected macOS tools and optional release credentials in metadata or installation notes so users can assess requirements before use.