Back to skill

Security audit

TestFlight

Security checks across malware telemetry and agentic risk

Overview

This is a coherent TestFlight automation guide, but it handles Apple release credentials and should be used carefully.

Install only if you need TestFlight release automation. Use least-privilege Apple credentials, store secrets in CI secret storage or Keychain, prefer ephemeral macOS runners, require approval before external distribution or beta review submission, and add cleanup for generated keychains and credential files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document shows creating a local `api_key.json` file containing an App Store Connect private key, but it does not instruct users to restrict file permissions, avoid committing it, or securely delete it after use. In CI/CD contexts, leaving credential material on disk increases the chance of accidental exposure through workspace artifacts, logs, caches, or reused runners.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The GitHub Actions workflow imports signing credentials into a keychain and writes secret-derived files on the runner without warning about sensitive state changes or cleanup. On self-hosted or persistent runners, leftover keychains, certificates, provisioning profiles, or API key files could be recovered by later jobs or users.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.