ClawHub
Back to skill

Security audit

Xcode Cache Cleaner

Security checks across malware telemetry and agentic risk

Overview

This Xcode cache cleaner is purpose-aligned, but it needs review because its local deletion scripts have unsafe edge cases and weaker safeguards than the documentation implies.

Install only if you are comfortable reviewing deletion lists before acting. Run `--dry-run` first, verify every path, avoid `--yes` unless you have just approved the exact cleanup, avoid `--include-archives` unless the archives are backed up, and do not run project cleanup on untrusted or oddly named directories unless the `eval` command construction is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (2)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list includes broad phrases such as "free disk space" and "why is this folder so big," which are common, ambiguous requests that may invoke a destructive cleanup skill when the user did not specifically ask to delete development caches. In this skill, unintended activation is more dangerous because the described actions can remove large amounts of local data and alter a developer machine's state.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
Flags:
- `--dry-run` — Scan and report only, no deletions
- `--yes` / `-y` — Skip confirmation prompt (use when agent is driving)
- `--keep-ios <pattern>` — Keep DeviceSupport folders matching this substring (repeatable). Applied across all `*OS DeviceSupport` dirs, not just iOS.
- `--include-archives` — Also delete `Archives/*` (default: keep)
Confidence
91% confidence
Finding
Skip confirmation

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.