Xcode Cache Cleaner
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: xcode-cache-cleaner Version: 0.1.0 The skill is a legitimate utility for cleaning Xcode and project-specific build caches (e.g., DerivedData, Pods, node_modules) to reclaim disk space. The scripts `clean-cache.sh` and `clean-xcode-global.sh` perform targeted deletions of known cache directories, include safety features like dry-run modes and confirmation prompts, and prefer using the system trash when available.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A maliciously named or crafted project folder could run shell commands under the user's account when the agent scans it.
The script builds and evaluates a shell command using TARGET_DIR derived from the user-selected project path. A directory name containing shell metacharacters such as $() or quotes could cause unintended commands to execute during scanning.
done < <(eval "find \"$TARGET_DIR\" $find_args -print0 2>/dev/null" || true)
Remove eval, pass find predicates safely as arrays or separate hard-coded find calls, quote glob patterns, and preserve NUL-delimited path handling through deletion.
The global cleanup may remove more Xcode DeviceSupport folders than the user expects, requiring Xcode to recreate or redownload support data.
The default DeviceSupport safeguard depends on sort -V to choose the highest-version folder. Stock macOS sort commonly lacks -V; if it fails, auto_keep can be empty and all DeviceSupport entries may be queued for deletion instead of keeping one.
auto_keep=$(ls "$dir" | sort -V | tail -1 || true) ... ACTIONS+=("delete:$entry")Use a macOS-compatible version comparison, fail closed if the keep target cannot be determined, or require explicit --keep-ios patterns before deleting DeviceSupport.
Users may believe project cache deletions are recoverable from Trash when they are actually removed directly.
SKILL.md says both scripts prefer recoverable Trash when available, but the project-mode script always uses rm -rf for matched paths. That makes the recoverability claim materially weaker for project cleanup.
rm -rf "$p" 2>/dev/null || true
Either update the documentation to state that project-mode deletion is direct and irreversible, or implement the same trash-when-available fallback used by the global cleaner.