Security Audit

macos-spm-app-packaging

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

macos-spm-app-packaging received a trust score of 35/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 6 findings: 2 critical, 3 high, 1 medium, and 0 low severity. Key findings include Credential harvesting, Arbitrary code execution via sourced user-controlled 'version.env', Command injection via unsanitized APP_NAME in direct binary execution.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

18%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

3 findings

Shell Execution

4 findings

Dynamic Code

3 findings

Excessive Permissions

3 findings

Security Findings6

Severity	Finding	Layer	Location
CRITICAL	Credential harvesting macOS Keychain credential access Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores.	Manifest	skills/dimillian/macos-spm-app-packaging/assets/templates/setup_dev_signing.sh:44
CRITICAL	Arbitrary code execution via sourced user-controlled 'version.env' The scripts `package_app.sh` and `sign-and-notarize.sh` use `source "$ROOT/version.env"` to load configuration. The skill documentation explicitly states that `version.env` is user-customizable ("Customize `APP_NAME`, `BUNDLE_ID`, and versions."). If an attacker can control the content of `version.env`, they can inject arbitrary shell commands that will be executed with the privileges of the user running the script. This allows for full compromise of the execution environment. Avoid sourcing user-controlled files directly. Instead, parse the file using a safer method (e.g., `grep` for specific variables and `eval` with strict validation, or a dedicated configuration parser) or ensure `version.env` is not directly modifiable by untrusted input. If it must be user-controlled, implement strict sanitization or a whitelist for allowed content.	LLM	assets/templates/package_app.sh:17
HIGH	Command injection via unsanitized APP_NAME in direct binary execution The `compile_and_run.sh` script directly executes the packaged application binary using a path constructed with `APP_NAME`: `"${APP_BUNDLE}/Contents/MacOS/${APP_NAME}"`. If the `APP_NAME` environment variable (which can be user-controlled, as indicated by the `version.env` customization) contains shell metacharacters (e.g., `"; rm -rf /;"`), these characters will be interpreted by the shell, leading to arbitrary command execution. Ensure that `APP_NAME` is strictly validated to contain only safe characters (e.g., alphanumeric, hyphens, underscores) before being used in path construction or direct execution. Alternatively, use `exec` with a full, validated path to prevent shell interpretation.	LLM	assets/templates/compile_and_run.sh:50
HIGH	Command injection via unsanitized environment variables and script arguments Multiple scripts use environment variables (`APP_NAME`, `ARCHES`, `APP_IDENTITY`, `APP_ENTITLEMENTS`, `SPARKLE_PRIVATE_KEY_FILE`, `SPARKLE_DOWNLOAD_URL_PREFIX`, `SPARKLE_RELEASE_VERSION`, `APP_STORE_CONNECT_KEY_ID`, `APP_STORE_CONNECT_ISSUER_ID`, `XCODE_APP`) and direct script arguments (`$1`, `$2`, `$3` in `build_icon.sh`, `ZIP`, `FEED_URL` in `make_appcast.sh`, `CONF` in `package_app.sh`) directly within shell commands without sufficient sanitization. While some variables are quoted, if they contain shell metacharacters that break the quoting or are interpreted by the called command, they can lead to arbitrary command execution. For example, in `build_icon.sh`, `$1` (ICON_FILE) is passed to `"$ICTOOL"`. Implement strict input validation and sanitization for all user-controlled environment variables and script arguments. Whitelist allowed characters or patterns. For paths, use `realpath` or similar to resolve and validate. For arguments to external commands, ensure they are properly quoted and that the external command itself does not interpret arguments as shell commands.	LLM	assets/templates/build_icon.sh:16
HIGH	Temporary exposure of App Store Connect API Key in plaintext file The `sign-and-notarize.sh` script writes the `APP_STORE_CONNECT_API_KEY_P8` (a sensitive private key) to a temporary file `/tmp/app-store-connect-key.p8`. Although the script includes a `trap` to remove the file on exit, this creates a window of vulnerability where the key exists on the filesystem in plaintext. If the script crashes unexpectedly, or if an attacker can read `/tmp` during execution, the private key could be compromised. Avoid writing sensitive credentials to disk, even temporarily. If a tool requires a file path, consider using process substitution (`<(echo "$KEY_CONTENT")`) or named pipes if the tool supports it, to avoid writing to a persistent file. Ensure the temporary file is created with restrictive permissions (`umask 077`).	LLM	assets/templates/sign-and-notarize.sh:12
MEDIUM	Automated creation and import of code-signing certificate into user keychain The `setup_dev_signing.sh` script automatically creates a self-signed code-signing certificate and imports it into the user's login keychain, granting it permissions for `codesign` and `security` tools. While intended for development convenience, this is a powerful operation that modifies the user's security configuration. If an attacker could trick a user into running this script with malicious intent (e.g., by manipulating `APP_NAME` to create a misleading certificate name), it could lead to the installation of a rogue signing identity, potentially enabling malicious code to be signed and trusted by the system. Require explicit user confirmation before performing security-sensitive operations like importing certificates into the keychain. Provide clear warnings about the implications. Consider if this step can be performed manually or with more granular control. Ensure `APP_NAME` is sanitized to prevent misleading certificate names.	LLM	assets/templates/setup_dev_signing.sh:35

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/be0a17cd83f7d579.svg)](https://skillshield.io/report/be0a17cd83f7d579)