Back to skill

Security audit

Audit App Store Readiness

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent local App Store readiness auditor that mainly reads a chosen app repository and clearly flags optional build or fix steps.

Install this if you are comfortable running a local Node audit script against app repositories you choose. Review any optional Xcode build, archive, dependency install, Expo prebuild, signing, or patch step before approving it because those can execute project code or create artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script invokes external programs from PATH, including git, plutil, python, and a shell-capable helper via runShell. Even though runShell is not used here, resolving and executing binaries from an attacker-controlled PATH can lead to arbitrary code execution if the audit is run in an untrusted environment or repository setup.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/audit.mjs:95