Trust Assessment
swiftui-empty-app-init received a trust score of 90/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.
SkillShield's automated analysis identified 1 finding: 0 critical, 1 high, 0 medium, and 0 low severity. Key findings include Potential Command Injection via XcodeGen inputs.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings1
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Command Injection via XcodeGen inputs The skill explicitly states it will 'Generate `YourApp.xcodeproj` using XcodeGen' and 'Create a minimal `project.yml` using the provided inputs'. User inputs such as 'Project name' and 'Optional bundle identifier' will be used to construct the `project.yml` file, which is then processed by the `XcodeGen` command-line tool. If these inputs are not properly sanitized or escaped before being incorporated into `project.yml` or passed as arguments to the `XcodeGen` command, a malicious user could inject arbitrary commands, leading to remote code execution on the host system. Ensure all user-provided inputs (e.g., Project name, Bundle identifier) are strictly validated and properly escaped or sanitized before being incorporated into `project.yml` or passed as arguments to the `XcodeGen` command. Avoid direct interpolation of untrusted input into shell commands or configuration files without robust sanitization. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/279cc113ab2f8784)
Powered by SkillShield